26 February 2016

HOW TO HACK A COMPUTER FROM 100 METERS AWAY BY HIJACKING ITS WIRELESS MOUSE, OR KEYBOARD — ‘MOUSE-JACK ATTACK;’ THE DIGITAL WILDERNESS OF MIRRORS GETS MORE DEVIOUS & DANGEROUS….ALL THE TIME

by RC Porter 
February 24, 2016

Swati Khandelwal writes on the February 23, 2016 website, The Hacker News, about a technique hackers can use to breach your laptop and mobile device from as far as 100 meters away — with no Internet access, and no Bluetooth devices. “That innocent-looking tiny dongle plugged into your USB port to transmit between your wireless mouse, and the computer is not as innocent as it pretends to be,” she warns.

What’s The Vulnerability?

“Security researchers from the Internet of Things (IoT) [cyber] security firm Bastille, have warned that wireless keyboards and mice from seven popular manufacturers including Logitech, Dell, Microsoft, HP, and Lenovo are…..vulnerable to so-called Mousejack attacks, leaving BILLIONS of computers vulnerable to hackers,” Ms. Khandelwal writes.

“The flaw actually resides in the way these wireless mice and their corresponding radio receivers handle encryption.”

How To Hijack A Wireless Mouse & Hack A Mobile Device, Laptop, Computer

“Wireless mice and keyboards communicate via radio frequency, with a USB dongle inserted into the PC,” Ms. Khandelwal explains. “The dongle, then sends the packets to the PC, so it follows the mouse, or clicks on keyboard types. While most keyboard manufacturers encrypt traffic between the keyboard and the dongle in an effort to prevent spoofing, or hacking the device.”

“However, the mice tested by Bastille, did not encrypt their communications to the dongle, allowing an attacker to spoof a mouse — and, [secretly] INSTALL MALWARE on a victims PC.”

“With just the use of around $15-$30 long-range dongle, and few lines of code, the [clandestine] attack could allow a malicious hacker — within 100 meters range of your computer — to intercept the radio signal between the dongle plugged into your computer, and your mouse,” Ms. Khandelwal warns.

“The hacker can, therefore, send [infected] packets that generate keystrokes — instead of mouse clicks, allowing the hacker to direct your computer to a malicious server, or website — in mere seconds.” 

“During their tests,” Ms. Khandelwal writes, “the researchers were able to generate 1000 words/minute over the wireless connection; and, install a malicious Rookit in about 10 seconds. The researchers tested several mice from Lenovo, Logitech, and Dell, that operate over 2.4GHz wireless communications.”

Researchers Identified The Following Wireless Keyboard & Mouse Manufacturers Whose Non-Bluetooth Wireless Devices Were Affected By The Mousejack Flaws:

— Logitech

— Dell

— HP

— Lenovo

— Microsoft

— Gigabyte

— AmazonBasics

Ms. Khandelwal notes that the researchers reported their findings to all seven manufacturers; but, thus far, only Logitech has released a firmware update that blocks the Mousejack attacks.

SOME OBSEVATIONS

II was a hacker, don’t I want Logitech and the others to release their patches publicly? Seems to me, when companies do that, they are explaining to the hackers what not to do next time; and, much like the discussion of creating a back-door for the San Bernardino cell phone — how to improve their chances of success the next time. And, their is industrial-grade stealth malware out there now being sold on the Internet. And, there are many top-level cyber researchers who believe every USB device — even those brand-new, may already cone to us with some level of infection. Stealing keylogger data remotely from another room — done. Using the effluent heat-signature coming off a stand-alone computer not connected to the Internet or other computers — to insert malware or download passwords and other data — done. Clandestine, stealth malware that changes like a chameleon when under observation — done.

There is something to be said for the off-the-grid types. The digital wilderness of mirrors gets more devious, and dangerous……all the time. V/R, RCP

No comments: