A cyber security company says it has discovered a design flaw in scores of wireless keyboards and mice that hackers could exploit to access computers as if they were their own devices.
Bastille Networks announced the discovery in a news release last week, claiming a hacker armed with a $15 piece of hardware and a few lines of code could gain full control of a computer by exploiting a loophole in the way wireless keyboards and mice communicate with the devices.
The company says the majority of mice and keyboards that use wireless dongles, as opposed to Bluetooth technology, are vulnerable. The dongles are plugged into USB ports on the computer, and clicks, mouse movements and keystrokes are transmitted to them through radio signals.
However, Bastille says hackers within 100 meters of the vulnerable dongles could “Mousejack” a computer by taking advantage of those connections, allowing the hackers to send their own clicks, mouse movements and keystrokes to the computers as if they were sitting in front of it.
That could allow them to view sensitive data or insert malicious code, the company said.
Bastille claims billions of devices are vulnerable, and computers running Windows, Macintosh and Linux software were all at risk. But one manufacturer downplayed the risk of a breach.
“Bastille Security identified the vulnerability in a controlled, experimental environment,” Logitech said on its message board. “The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack.”
“What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise,” Marc Newlin, the Bastille engineer responsible for discovering the security flaw, said in a statement.
Bastille supplied a list of vulnerable mice and keyboards on its website, and manufacturers like Logitech and Lenovo have already issued firmware patches they say address the security flaw.
But Bastille noted that patches might not be available for every dongle, and device owners will need to check with manufacturers to see if there is a fix available. In the interim, it recommends using a wired mouse or possibly replacing a vulnerable device with one known to be secure.
