Two researchers have demonstrated that an attacker can hack unencrypted radio communication to seize control of many leading wireless keyboards and mice.
Those devices work by using radio frequency technology to communicate with a computer. Makes sense…except when you realize most of that communication is neither encrypted nor authenticated.
Without any protective measures in place, an attacker can easily pick up that eavesdrop on a wireless device’s communication with a computer. As long as they know the correct keyboard or mouse protocol, they can then spoof commands in an effort to achieve remote code execution and infect a machine with malware.
That’s exactly what Klostermeier and Deeg did using what they call a Raspberry Pi “Radio Hack Box.”
The attack makes use of a Crazyradio PA USB dongle, the same device Bastille Networks’ Marc Newlin employed to exploit the MouseJack vulnerabilities in early 2016.
By virtue of an internal Python tool, the Radio Hack Box picks up on the radio frequencies of the wireless device, injects itself into the communication stream, and spoofs commands using keystrokes typed on a virtual keyboard in Windows on the computer.
Those commands allow for an actor to download malware onto a victim’s machine, as the researchers show in the demonstration video provided below.
Klostermeier notes someone can pull off the attack from a large distance away as long as they have the right equipment. As quoted by The Register:
“You can exploit all of these vulnerabilities in real world attack scenarios. The normal distance is 10 to 15 metres but if you use software defined radio and apply some antenna you could extend it to several kilometres.”
Using the Radio Hack Box, the duo compromised devices produced by Microsoft, Logitech, Fujitsu, Perixx, and Cherry.
Perixx has not responded to the research, and Cherry said it will remove references that its current products are secure.
Meanwhile, Microsoft, Logitech, and Fujitsu have all promised to make their upcoming products more secure against those types of vulnerabilities.
But take that with a grain of salt.
Microsoft and Logitech both said their new products would be secure against MouseJack, but here we are once again with vulnerable wireless devices from these two companies. It might be worth looking into purchasing products from another vendor.
Alternatively, if you don’t trust the tech, you could just play it safe and just stick with a wired mouse and keyboard.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.