Security researcher Mark Newlin has released a paper detailing a collection of vulnerabilities found on wireless keyboards and mice from large IT vendors.
The vulnerabilities can allow an attacker to type arbitrary commands into a victim's computer from up to 100 metres away using a £10 ($US15) dongle. The peripherals in question are made by the likes of Dell, HP, Lenovo, Logitech and Microsoft.
The paper explains, “Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.”
According to Newlin, the dongles listen for radio frequency packets sent by the mouse or keyboard, and notifies the computer whenever the user moves the mouse or types. In order to prevent eavesdropping, most vendors encrypt the data transmitted by wireless keyboards, but oddly not mice.
As there is no authentication of where the RF packets are coming from, the dongle is unable to distinguish between packets transmitted by a mouse, and those transmitted by an attacker.
As a result, an attacker is able to pretend to be a mouse and transmit their own movement/click packets to a dongle.
Specifics of the discovered vulnerabilities vary from vendor to vendor, but Newlin says they generally fall into one of three categories: keystroke injection spoofing a mouse, keystroke injection spoofing a keyboard and forced pairing.
Newlin says that the most common transceiver in use by any of these devices is the popular ‘nRF24L' which is made by Nordic Semiconductor. There are two basic types of nRF24L chips used by keyboards, mice and dongles: one-time programmable and flash memory.
One-time programmable devices cannot be updated once they leave the factory, but flash memory devices can. This unfortunately means that there is no way to protect these devices from attack as a firmware upgrade isn't possible.
For non-updatable devices, which represent the majority of those tested, there is no mechanism to secure a vulnerable device short of unplugging the USB dongle from the computer. For devices with updated firmware available from the manufacturer, it is recommended to install the update before continuing to use the affected mouse or keyboard.