Are Your Mice Vulnerable To MouseJack?

In late May it was brought to my attention by a colleague that a potentially serious security vulnerability was discovered by Internet of Things security firm Bastille. This issue was disclosed earlier this year in February. It’s named MouseJack.

Why Should This Issue Be Considered Important?
While I use the term “issue” MouseJack consists of several vulnerabilities rather than just one. These vulnerabilities could allow an attacker to type commands of their choice into a victim’s computer from up to 100 metres away. The only equipment the attacker would need is a USD $15 USB dongle.

It’s important to point out that the vulnerabilities are within the firmware of a wireless keyboard/mouse USB dongle and not the mouse itself. Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

While the need to encrypt the data travelling between a wireless keyboard and the computer it is connected to was recognised and implemented by many well-known vendors (since keyboards are used to enter passwords and other sensitive data). The same encryption was not applied to the transmission of mouse clicks (and other buttons including scrolling wheels) from the mouse to the computer.

A proof of concept video demonstrating how these vulnerabilities can be used by an attacker was made available on YouTube and illustrates the vulnerabilities very well.


How Can I Protect Myself From These Issues?

I found this CERT security advisory very helpful in terms of next steps to follow.

Since I own a lot of Logitech mice and a keyboard it was fantastic to see that Logitech made available a security update that upgrades the firmware of the USB dongle to resolve these vulnerabilities.

While Lenovo did the same, they don’t allow end-users to install it and you need to contact them to arrange for an exchange of your devices (with Dell providing a similar response). Microsoft on the other hand issued an update for affected devices in a similar manner to Logitech that won’t require you to return your devices to them.

I have provided the links below to some of the vendor’s responses/updates below:

Lenovo
Dell (PDF)
Microsoft

A full list of the affected devices is available here. This page also provides further recommended actions.

All but one of my mice are Logitech Performance MX (which I purchased from 2009 onwards). Every dongle belonging to each of the mice had old vulnerable firmware installed (including a Performance MX purchased in March this year).

My mice had the following vulnerable versions installed:

  • 012.001.00019
  • 012.003.00025 (March 2016 mouse)

I followed the steps within this Logitech forum thread (please see the first post) to very quickly patch each of the USB dongles using one of my Windows systems. The mice continue to work as normal, but without the vulnerabilities.

The firmware versions of all previously affected USB dongles are now 012.005.00028

While my mice are not listed as affected, the Unifying USB dongle is present across almost all of Logitech’s product range making the Performance MX affected by association rather than directly.

For the spare Logitech keyboard and mouse (Logitech MK250) that I have, they are not affected by these issues since they use an older and much larger USB receiver. This receiver doesn’t have the Unifying technology that was vulnerable to these issues.

I verified that the firmware of the receiver was not affected by installing the Logitech Connect Utility v2.0.3.0. This is the equivalent of the newer Unifying software for this keyboard and mouse.

The firmware version was 015.000.00048 which is not in the affected range of the 012.xxx.000xx, 024.xxx.000xx that the Logitech update was designed to address.

I wanted to point this vulnerability out to those who use wireless keyboards and mice; they may also be vulnerable to this issue. For those fortunate enough to use Microsoft and Logitech peripherals you can install the necessary updates quickly and easily.

Many thanks to my colleague (you know who you are) for bringing these vulnerabilities to my attention.

I hope that the above information is helpful. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s