Flaw Puts a Billion Wireless Mice at Risk

Wireless mice and keyboards are the perfect accessories for a world in which devices increasingly are shuffling off their connection coils, but those accessories — especially untethered rodents — also can create new threats for those who use them.

One such threat is Mousejack. The attack exploits a vulnerability found in 80 percent of wireless mice. With US$15 worth of off-the-shelf hardware and a few lines of simple code, a wireless mouse can be turned into a hacker’s portal for all kinds of mischief.

Mousejack — the nameBastille, which discovered the flaw last year, gave to the vulnerability — impacts more than a billion wireless mice worldwide, the company’s chief revenue officer, Ivan O’Sullivan, said.

One of Bastille’s engineers, Marc Newlin, discovered the vulnerability in non-Bluetooth wireless mice. The flaw in the mice is related to how the devices handle encryption.

“When evaluating these devices, it became apparent that they do not implement encryption in a correct way and make it possible to bypass encryption in certain situations,” he told TechNewsWorld.

Speed Typing

That allows an attacker to forge and transmit wireless packets to the USB dongle of a target’s mouse and use that to inject keystrokes into that target’s computer.

“Taking advantage of that, an attacker from 225 meters away [246 yards] can type on a target’s computer,” Newlin said.

Typing is a relative term here. The keystrokes sent to the dongle could be automated, which means a hacker could type as fast as 1,000 words a minute.

“You could very quickly execute an attack,” Newlin said. “You could bring up a command window, type some commands, download some malware, and close the window all in a matter of seconds.”

“If a victim’s attention is elsewhere for a short period of time, an attack can be executed without their knowledge,” he added.

160 Million Weak Links

Although Bastille has demonstrated the feasibility of Mousejack, no attacks have been seen in the wild yet, Newlin noted.

Still, the vulnerability does pose a large threat not only to consumers but to businesses too. Eighty-two percent of businesses allow their employees to use wireless mice at work, according to a survey of 900 organizations Bastille released last month.

Most of the respondents were concerned about the mousejacking problem, but 21 percent said they were unconcerned about it, and 16 percent said they’d continue to use their wireless mouse even if it had the vulnerability.

“Sixteen percent of a billion devices is 160 million weak links in an organization’s security chain,” O’Sullivan told TechNewsWorld.

EMV Working

While merchants remain slow to add the hardware necessary for processing EMV transactions, card issuers are starting to see benefits from the payment cards with a computer chip, according to report released this month by the Aite Group and sponsored byIovation.

Card issuers with at least 50 percent of their portfolios reissued as EMV cards averaged a 25 percent year-over-year decline in net counterfeit fraud, Aite reported.

The results can be even better for issuers that have replaced their portfolio. One such issuer said its year-over-year decline in fraud losses was 65 percent, and it expects losses to be down by 80 percent in 2016, the report said.

Those declines can be a bit of a shell game, though. That’s because with the introduction of EMV cards, the liability for picking up the tab for card fraud shifted from card issuers to merchants. Still, it’s expected that much of the card-present fraud will shift from the physical world to the online world.

Unlike brick-and-mortar merchants, online retailers have been eating the losses for misuse of payment card for years. Nevertheless, that doesn’t mean they’re ready to cope with more fraud.

“The question is if a significant portion of attempted fraud shifts to online, all of a sudden the numbers shift and you may not be able to absorb the uptick,” Michael Thelander, product marketing manager of Iovation, told TechNewsWorld.Card issuers continue to absorb some losses, the Aite report noted. Fraud at the gas pump, for example, is absorbed because chargeback to merchants provisions don’t take effect there until 2017.

In addition, card issuers are eating fraud losses on transactions of less than $25 because it costs more to process the chargeback than to eat the fraud loss.

Breach Diary

  • May 9. The Federal Deposit Insurance Corp. retroactively reports to Congress that since Oct. 30, five major data breaches have occurred involving taxpayers’ personally identifiable information.
  • May 9. Google begins notifying employees their personal information is at risk after it was sent by a third-party provider to the benefits manager of another company. The manager destroyed the data when he realized it was sent to him by mistake.
  • May 9. Chelsea and Westminster Hospital NHS Foundation Trust in the UK is fined $258,570 for accidentally emailing the email addresses and names of HIV-positive patients with an electronic newsletter last fall.
  • May 10. The Ohio Department of Mental Health and Addiction Services discloses it has put at risk the personal information of as many as 59,000 people by mailing them postcards about participating in a survey for people with mental health or addiction problems.
  • May 10. Kiddicare reveals sensitive information about as many as 794,000 customers was stolen from a test site operated by the company.
  • May 10. Motherboard reports information on more than 100,000 user accounts from an adult site called Rosebuttboard was being posted to the “Have I Been Pwned?” site by security researcher Troy Hunt.
  • May 11. Wendy’s reports a data breach in January affected fewer than 300 of its 5,500 restaurants.
  • May 12. Ponemon Institute releases annual benchmark study on privacy and security of healthcare data with a finding that the average cost of a healthcare breach was $2.2 million.
  • May 12. UnityPoint Health-Allen Hospital starts notifying 1,620 patients that their personal information was at risk after an employee accessed it without proper authorization over a seven-year period.
  • May 12. TalkTalk, which suffered a major data breach last year, reports per-tax profits plunged more than 50 percent — to Pounds 14 million from Pounds 32 million — for the fiscal year that ended in March.
  • May 12. Kern County Superintendent of Schools in California alerts more than 2,500 employees paid by KCSOS in 2015 that some sensitive information about them was at risk after it was sent to an unauthorized party as the result of a phishing scam.
  • May 12. Kmart files papers with a federal court in Illinois announcing it has reached a settlement with financial institutions that filed a class-action lawsuit over a 2014 data breach. Details of the deal were not disclosed.
  • May 12. The New York Times reports a second bank has been infected with malware believed to be connected to an $81 million electronic robbery of the central bank of Bangladesh.

Upcoming Security Events

  • May 20-21. B-Sides Boston. Microsoft NERD, 1 Memorial Drive, Cambridge, Massachusetts. Tickets: $20.
  • May 21. B-Sides Cincinnati. University of Cincinnati, Tangeman University Center, Cincinnati. Tickets: $10.
  • May 21. B-Sides San Antonio. St. Mary’s University, One Camino Santa Maria, San Antonio. Tickets: $10.
  • May 24. PCI DSS: Preventing Costly Cases of Non Compliance. 1 p.m. ET. Webinar by VigiTrust, HPE Data Security, Aberdeen Group and Coalfire. Free with registration.
  • June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 6-9. Cloud Identity Summit. New Orleans Marriott, 555 Canal St., New Orleans. Registration: $1,695.
  • June 8. B-Sides London. ILEC Conference Center, 47 Lillie Rd., London SW6 1UD, UK. Free.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 10. B-Sides Pittsburgh. Spirit Pittsburgh, 242 51st St., Pittsburgh. Free.
  • June 11-12. B-Sides Latin America. PUC-SP (Consolao), So Paulo. Free.
  • June 15. Federal Trade Commission’s Start With Security — Chicago. Northwestern Pritzker School of Law, 375 E. Chicago Ave. (corner of Lake Shore Drive), Chicago. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 20. Center for New American Security Annual Conference. 9:30 a.m. to 5:30 p.m. J.W. Marriott, 1331 Pennsylvania Ave., Washington, D.C. Free with registration.
  • June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
  • June 27-29. Fourth annual Cyber Security for Oil & Gas. DoubleTree by Hilton, 6 Greenway Plaza East, Houston. Registration: main conference, $2,295; conference and workshops, $3,895; single workshop, $549.
  • June 27-July 1. Appsec Europe. Rome Marriott Park Hotel, Colonnello Tommaso Masala, 54 Rome, Italy. Registration: members, 599 euros; nonmember, 610 euros; student, 91.50 euros.
  • June 27-July 1. Hack in Paris. Maison de la Chimie, 28 Rue Saint-Dominique, 75007 Paris. Tickets: before April 5, 288 euros; student or unemployed, 72 euros. Before June 9, 384 euros; student or unemployed, 108 euros. After June 8, 460.80 euros.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
  • Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels