Microsoft has released an optional update that addresses a hacking technique called “MouseJack.” The update patches a number of Microsoft-based wireless mice including the Sculpt Ergonomic mouse, the Arc Touch mouse, the Wireless Mouse 1000/2000/5000, and several others. This update does not address other mice manufactured by third-party suppliers.
“A vulnerability has been discovered that allows keyboard HID packets to be injected into Microsoft wireless mouse devices through USB dongles,” the company reports. “USB dongles will accept keyboard HID packets transmitted to the RF addresses of wireless mouse devices.”
According to Microsoft, the provided update actually filters out QWERTY key packets in keystroke communications issued from the receiving USB dongle to the wireless mouse device. The security issue currently resides in both 32-bit and 64-bit versions of Windows 7 Service Pack 1, Windows 8.1, Windows 10, and Windows 10 Version 1511.
Ok, so what’s this MouseJack business all about? It’s a technique that focuses on non-Bluetooth wireless keyboards and mice. These peripherals are connected to a desktop or laptop thanks to a dongle inserted into the USB port, enabling wireless transmissions between the host computer and the peripheral. The problem is that because these signals are sent over the air, hackers can use a special device to send their own malicious signals to the host PC in the same manner.
Security firm Bastille Research actually has a website dedicated to MouseJack information, and reports that hackers can take over a PC from up to 328 feet away. They can perform “rapidly malicious activities” without being detected by the device owner simply by sending scripted commands. Hackers can even type in arbitrary text as if the victims actually entered the text themselves.
“The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer,” the firm states. “Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However, the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer’s operating system as if the victim had legitimately typed them.”
There is a list of vulnerable devices located here, including products manufactured by AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft. Dell actually provided a statement on February 23, saying that it has been working with Bastille Research to address the problem related to the KM632 and the KM714 devices.
Although Microsoft has issued an update to fix the MouseJack problem with its mice, security researcher Marc Newlin says that Windows customers using Microsoft-based mice are still vulnerable to MouseJack despite the patch. Even more, he says that injection still works against the Sculpt Ergonomic mouse and all non-Microsoft mice. There’s also no Windows Server support in the patch.
MS security advisory 3152550 (#MouseJack patch) released today. Injection still works against MS Sculpt Ergonomic Mouse and non-MS mice.
— Marc Newlin (@marcnewlin) April 12, 2016
For more information about the new patch and how to perform a manual install, check out the Microsoft Security Advisory 3152550 here. Otherwise, Microsoft customers using one of its listed wireless products might want to consider grabbing the update when it arrives via Windows Update.