The MouseJack vulnerability stems from the lack of encryption of the wireless signal of most wireless USB hardware as it’s transferred from the peripheral to the wireless base station. It is quite simple to add additional information to alter how a movement is interpreted, or worse still, send commands while a user isn’t there to see it.
The flaw is said to be applicable to many peripherals from Amazon, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft (as per PCWorld). The reason for their susceptibility to the attack, is that they all utilize the same Nordic Semiconductor chips. Some of those chips support encryption and can therefore implement some sort of patch or fix for it – many are already working on it – but those without chips that can support obfuscation may be forced to leave users in a vulnerable state.
Logitech has already released a fix for its affected devices. Dell believes it is unlikely to be utilized as an attack vector, and does not plan to release a patch at this time.
Fortunately, the attack method isn’t foolproof. Hackers would need to be within that 100 yard radius and also need a direct line of sight to the wireless base station, which is far from ideal in most scenarios. If a wireless antenna is used, however, that range can be extended further, and even pass through walls and windows.
There’s also the matter of knowing what commands to send. Presumably, a potential attacker would need to know what the victim was doing to insert harmful commands. That’s not impossible, but it certainly makes the attack more difficult to execute. MouseJack seems more likely to be used as a means of pranking co-workers than a harmful attack.
But hackers are an ingenious bunch, and often use seemingly minor vulnerabilities to achieve impressive results. We hope most companies take Logitech’s approach, and patch the problem.
