Security Vulnerabilities in Wireless Keyboards

Many wireless keyboards have a security vulnerability that allow someone to hack the computer using the keyboard-computer link. (Technical details here.)

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.

The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them.

Affected devices are starting to patch. Here's Logitech:

Logitech said that it has developed a firmware update, which is available for download. It is the only one among the affected vendors to respond so for with a patch.

"Logitech's Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any consumer with such an issue," Asif Ahsan, Senior Director, Engineering, Logitech. "We have nonetheless taken Bastille Security's work seriously and developed a firmware fix. If any of our customers have concerns, and would like to ensure that this potential vulnerability is eliminated...They should also ensure their Logitech Options software is up to date."

Posted on March 3, 2016 at 6:29 AM • 24 Comments

Comments

Austin B.March 3, 2016 6:43 AM

The unfortunate thing is that most of these devices will never be patched. I've gone through the process on some of our computers. You have to do all of the following:

  1. Install the Logitech Unifying Software.

  2. Run the executable, RQR_012_005_00028.exe from Logitech.

  3. Launch the Unifying Software.

  4. Click on the receiver and click upgrade firmware.


Logitech's Unifying Software for some reason cannot check for updates. You have to track down firmware updates and install them manually.

StefanMarch 3, 2016 7:06 AM

@Austin B, even better, if you don't run Windows you can't install the upgrade at all so yeah, I know of a few of these devices that will never be patched.

ThaumatechnicianMarch 3, 2016 7:19 AM

@Stefan, if you have a friend who runs Windows, you can update (and configure) the Unifying Receiver on their machine, then use it on your machine.

HAL_9000March 3, 2016 7:46 AM

I was hoping on your side on a better title than:
Security Vulnerabilities in Wireless Keyboards

more like
Security Vulnerabilities in Wireless Keyboard receivers

In addition please correct me if I’m wrong, at least if I understood this correct I could attack the Logitech unifying dongle even if the user has only a mice installed and could simulate a keyboard there. If this is the case the title should be more like Security Vulnerabilities in Wireless receivers (Mice & Keyboard).
BR
HAL

ABMarch 3, 2016 8:38 AM

Back around 2001/2002 I remember when the company I was working at got shiny new "cable free" mouse/keyboard units.

Of course they were only available for the execs - mere mortals were not allowed them (apart from one spare set kept by IT support).

Again, naturally, the people who received them were so [self] important that they wouldn't be bothered with "trivia" such as safe operation and left them on the default channel.

The range of those early devices was quite large - certainly it was feasible to sit in one room and affect a PC in another.

I recall watching with amusement the fun that could be had when one particularly unpopular person's presentation was disrupted by occasional slide forward / slide back operations initiated by someone with the IT spare mouse and a sense of mischief.
I stress I was not directly involved - just one of those who was sitting in an otherwise boring meeting which was made just a little less dull.

blakeMarch 3, 2016 9:47 AM

@Austin B

If there isn't a step to validate the hash of the .exe you just downloaded, you might be installing more holes rather than patches.

ThothMarch 3, 2016 9:56 AM

@all
It is always ill advised to use wireless connectivity when a wired version is available. In general, wireless security is still very weak (although I won't say wired security is really good).

CassandraMarch 3, 2016 10:30 AM

And people wonder why I don't like wireless keyboards, wireless mice, and wireless headsets. At least with cables (TEMPEST aside) you are giving bad actors the additional difficulty of tapping into the cable.

Anonymous CowMarch 3, 2016 12:02 PM

...Logitech's Unifying Software for some reason cannot check for updates...

I actually like that for closed networks. You don't have devices calling out and doing what amounts to a partial download since the devices default to a user level; an admin level is required to even copy an executable, let alone install it. That makes it easy to train everybody that any update notice will come from one specific email address; anything else is bogus and needs to be ignored. It also allows testing to make sure any upgrade won't break something else. In 2003 we had a short term project that required one hardware accessory to be firmware downgraded for it to work; first (and thus far only) time I ran into that scenario.

u774gMarch 3, 2016 12:33 PM

So this doesn't affect bluetooth keyboards, but I wonder how much harder a bluetooth keyboard link would be to hack.

UhuMarch 3, 2016 12:40 PM

@Thoth: I use wired keyboards, as they do not move that often and are more critical than mice, but use wireless mice as they move a lot and normally the mouse data is not that critical (I do not enter passwords with a mouse). This means that a setup I considered reasonably secure is not.

Well, as my main computer is a laptop, I use a Bluetooth mouse, so I think I am not directly concerned, but still...

Who?March 3, 2016 1:30 PM

The Lenovo 500 wireless mouse and dongle are affected by this vulnerability. Lenovo has recalled the affected units. How can we know if, let us say, the Lenovo Ultraslim keyboard and mouse are affected? Has this wireless keyboard/mouse set been tested?

It would be nice a statement from the manufacturer, or the team that found the vulnerabilities, saying these devices have been tested and considered "secure" (for anything "secure" means in the wireless world.)

Don't know how the Lenovo 500 works, but the Ultraslim keyboard/mouse set uses AES-128 to encrypt communication between the devices and the dongle. I understand it makes a difference, but it seems the paper does not details what encryption is vulnerable. Are AES-based sets vulnerable?

Dirk PraetMarch 3, 2016 3:05 PM

@ Thoth

It is always ill advised to use wireless connectivity when a wired version is available. In general, wireless security is still very weak (although I won't say wired security is really good).

The more existential question being: who ever thought a wireless keyboard was a good idea in the first place? It's the typing equivalent of an internet-connected toilet that uploads flush events to Google and exactly the sort of unsafe device Clapper, Rogers & co. WANT us to use.

ThothMarch 3, 2016 6:04 PM

@Uhu
Wireless mouse are also a weak spot in security. When I go out to do my deployments or work in the office, I simply refuse to use any wireless keyboard or mouse even when it is part of the laptop package provided by the compaby I work for just to be a step safer and I always bring my own wired mouse around. You never know when the extra safety pays off. Probably just the usual paranoia when you work in a security sector environment and not everyone in that sector always think in a safer manner.

@Dirk Praet
You never know that some people might be fond of all things wireless. You can imagine someone setting up multiple large screen monitors and lying on bed or couches and happily typing away wirelessly. Not everyone thinks in a somewhat more cautious manner like many of us on the forum :) .

Marcos El MaloMarch 3, 2016 7:40 PM

For those concerned about Bluetooth, here's the pertinent sections from the Wikipedia article to get you started:
https://en.wikipedia.org/wiki/Bluetooth#Security_concerns
https://en.wikipedia.org/wiki/Bluetooth#Security

Yes there have been vulnerabilities, hopefully (haha) 2.1 patched them. I use a BT speaker for music and occasionally a BT keyboard. I sometimes use BT to initiate file transfers between my mobile devices, but I don't make it a habit to leave BT on when not in use.

Anonymous IdiotMarch 4, 2016 3:48 PM

I think wireless can be safer than wired IF the signal is properly encrypted. With wired you always have the danger of a TEMPEST attack and frankly TEMPEST is known to work perfectly well. Logitech was always adamant in using wireless encryption which most manufacturers don't care for.

Now BT is another story. Much more convenient if you want to use a keyboard on a few computers switching between them but its security doesn't sound that robust.

Nick PMarch 4, 2016 4:01 PM

@ Anonymous Idiot

TEMPEST works on wired devices. However, it works many times better on wireless devices because the wireless signal bounces secrets off the circuitry like a flashlight bounces imagery off trees in the night. Having even one wireless device near others makes all of them more vulnerable to emanation-based surveillance.

TRXMarch 5, 2016 4:46 PM

The IBM PC Jr. used an infrared keyboard. That was an issue when you needed to put the box somewhere out of line of sight of the keyboard's LED. I found a piece of folded paper made an adequate reflector.

The PC Jr.'s keyboard had another problem - the infrared signal was the same for all computers. Schools who bought classroom-sized lots of the computers ran into that early on, requiring them to buy an upgrade that used a cable.

IBM tried reintroducing the infrared keyboard with some PS/2 models in the mid-1990s, and my circa-2003(?) Alienware laptop has a mystery "IR port."

cluelessMarch 13, 2016 6:04 AM

Fun fact: The Unifying Receiver which is the problem here (you can see if your logitech device is affected if it has the icon similar to a sun with 6 rays printed onto it), OS X and Linux have not even seen any option to fix this security disaster.

Logitech mega fail. This company should be avoided. Just don't buy their products and sell any existing you own, problem solved.

Clive RobinsonMarch 13, 2016 6:42 AM

@ clueless,

Just don't buy their products and sell any existing you own, problem solved.

And the problem will still be there only with a different companies implementation...

The problem is in three parts,

1, The idea of using a wireless solution.
2, The requirment to use standard parts.
3, The lack of market regulation to ensure minimum standards of security.

Change any one of them and the problem will change... BUT the price will also change, probably upwards initially, thus you probably won't buy if there is an alternative at lower cost or free.

People forget it's not just "You get what you pay for" you also get what you don't pay for which is why "There is no such thing as a free lunch".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.