In 2016 Bastille’s Research Team published information on the so called MOUSEJACK attack. The attack exploits the lack of encryption between wireless mice / keyboards and the applicable USB dongles. Most available devices from companies like Logitech and Microsoft were vulnerability.

The used attack tools initially sniff traffic between the input device and the dongle and identify the address of the involved parties. Afterwards the input device is spoofed and arbitrary input injected into the dongle, which in return starts controlling the host system. Although there is a pairing between the dongle and the input device, the pairing is only based on address, which are part of the packets.

Bastille Research, MOUSEJACK

Bastille has a few research tools published on GitHub. As the instructions are straight forward, there is no reason to add any further notes.

JackIt

JackIt is simple exploit tool for MOUSEJACK and supports all steps from sniffing down to actual injection. Injection is performed based on Ducky Script which is the scripting language also used by the HAK5 USB Rubber Ducky.

Screenshot

For the following screenshot JackIt is run with jackit --script test.ds. Where test.ds contains STRING blablabla.

Potential Issues

As everybody who has ever tried to inject keystrokes probably painfully knows, there are many different keyboard layouts out there. One of the classic issues here is the swapped of the swapped y and z characters on German vs. English keyboards. For this reason the developers of JackIt have added a --layout function.

Hardware

As described in Bastille’s documentation on their tools, there are various approaches concerning hardware. I personally have a CrazyRadio PA and am very happy with it. I’m not sure were I got it, and it looks like a clone … but they’re available at Seeedstudio and EXP-Tech.

Mitigations

Input Device Side

Mitigations only on input device side will not result any issues. The dongle always has to be adjusted to changed input.

Dongle Side

Mitigations solely on dongle side can be compared to input firewalls. The easiest approach is to only allow valid input, which would defend against keyboard keystroke attacks against wireless mice and presenters. Still this filtering won’t work with keyboards as they need to be able to type.

Both Sides

The “easiest” approach would be to add encryption to the communication. Here of course individual keys would be necessary for each dongle / input device pair. Alternatively a secure pairing mechanism would have to be implemented. The biggest issue here is that for most devices a firmware update on the actual device is not possible without direct physical access. As such, while vendors may be able to update the firmware on a dongle, but probably not on the wireless input device.

Notes

Further References

• Keykeriki
• Travis Goodspeed, nRF24L01 Promicious Mode
• Samy Kamkar, KeySweeper
• Nordic Semi Website, nRF24LU1+
• Nordic Semi Application Note nAN-22, “Generic data transfer using USB HID”