The concept of manipulating and compromising wireless devices is nothing new. Most wireless attacks that are conducted today are geared toward specific devices, such as wireless access points and routers that have wireless capabilities. However, there are also other wireless devices, such as mice and keyboards, that have attack vectors.
While wireless devices are certainly a potential attack vector, it is important to be cognizant of all of your wireless risk, not just that used for your network connectivity. One example of such risk is an aptly named exploit called Mousejack (CERT VU#981271). Released in early 2016, Mousejack is a collection of peripheral vulnerabilities that permit an attacker to manipulate communication between a wireless device and the receiver. An attacker can sit within approximately 100 meters of a vulnerable wireless device, such as a wireless keyboard, and inject keystrokes into the transmission. From a victim’s standpoint, it appears that their computer is typing on its own, and, before the user knows it, the payload has been executed. An attack that is both quick and able to be conducted from 100 meters away is unsettling for security administrators.
Although Mousejack is an older vulnerability, many users still have wireless mice or keyboards from years ago. These types of devices often get handed down among users and are rarely updated. One of the main problems with older wireless devices is their lack of encryption on the transmission between the devices, which essentially lets an attacker emulate typing on the victim’s keyboard by injecting packets into the unencrypted communication.
Mouse and Keyboard Attack Setup and Demonstration
The Mousejack attack requires:
- A long-range open USB radio (e.g., Crazyradio PA);
- Some scripting experience;
- A laptop; and
- The technical whitepaper from Bastille Networks, Inc.
Fortunately, as Mousejack is well documented, there is already prebuilt application code and firmware we can use to avoid having to write our code own based on the technical specifications.
We will be using a Crazyradio PA USB dongle as the long-range open USB radio.
This device is not only capable of interacting with radio frequency traffic on the 2.4 GHz ISM band, but also known to work with the Mousejack firmware and the toolkit necessary to launch the injection attack.
The JackIt toolkit is a set of scripts used to orchestrate the attack that leverages a simplistic payload language called Ducky Script. The Ducky Script payload language is essentially a sequence of keystrokes that will be executed once a vulnerable target is identified by the scripts within the JackIt toolkit. Once the Ducky Script payload is injected into the wireless communication, the victim’s computer believes the keystrokes to be coming from the victim’s keyboard and executes whatever commands are sent.
At a high level, taking the following steps is all that an attacker needs to do to execute a mouse and keyboard attack:
- Obtain a Crazyradio PA USB dongle
- Flash the Crazyradio PA USB dongle with Bastille Networks, Inc.’s Mousejack firmware
- Install the JackIt toolkit
- Create a Ducky Script payload
- Run the JackIt toolkit
The following video shows a demonstration of how the Mousejack exploit can allow an attacker to take control of a wireless mouse.
For reference, the devices affected by the Mousejack exploit include:
- AmazonBasics MG-0975 Wireless Mouse
- Dell KM636 Wireless Mouse and Keyboard
- Logitech K270 Wireless Keyboard
- Logitech K320 Wireless Keyboard
- Logitech K750 Wireless Keyboard
- Logitech K830 Illuminated Wireless Keyboard
- Logitech Marathon M705 Mouse
- Logitech Wave M510 Mouse
- Logitech Wireless Gaming Mouse G700s
- Logitech Wireless M325 Mouse
- Logitech Wireless Touch Keyboard K400r
- Microsoft All-In-One Media Keyboard
- Microsoft Sculpt Ergonomic Mouse
- Microsoft Wireless Keyboard 800 (including keystroke logging)
- Microsoft Wireless Mobile Mouse 3500
- Microsoft Wireless Mouse 1000
To address the vulnerabilities associated with the Mousejack exploit, your organization can use wired mice and keyboards and upgrade firmware to a known unaffected version (some versions are not fixable).
Should your organization have any questions about how to better protect wireless devices, whether it be routers, mice, or anything in between, please feel free to reach out to our IT solutions and cybersecurity team.