4037

Wireless mouses, especially the older ones, can turn well-protected computers into vulnerable systems.

Wireless mouses, especially the older ones, can turn well-protected computers into vulnerable systems. Cheap and readily available tools like Arduino boards and nRF24 modules together with open-source software allow hackers to inject key strokes and take control of the computer.

Mousejacking is probably ineffective with most recent wireless mouses and keyboards, but there are many old devices lying around that may be vulnerable.
You may be using one right now. This is why you should beware of mousejacking and maybe update the firmware of your devices.

This video shows how easy it is to set up such an attack or mousejack. The lesson to be learned from this video is that you should upgrade the firmware of your wireless mouse and keyboard regularly in order to be protected against mousejacking and similar types of attack.

 
 

Resources mentioned in the video:

  • Logitech website - this is where you can find tools for updating Logitech mouse receiver firmware and to re-pair devices to other receivers. For other brands, check their websites;
  • Bastille - the inventors of mousejacking;
  • JackIt - mousejacking in Python;
  • µC-mousejack - mousejacking with Arduino;
  • Duckyscript - a scripting language for hackers;
  • LOGITacker - mousejacking on nRF52.

µC-mousejack

  1. Install Platform.io
  2. Download or clone repository from GitHub
  3. Check & edit if necessary uC_mousejack\platformio.ini to make it correspond to your Arduino board and serial port speed
  4. Check & edit if necessary uC_mousejack\src\main.cpp to make sure it has the right pin numbers for the CE and CSN pins of the nRF24 module
  5. Create a Duckyscript file in uC_mousejack\tools\ to hold the commands that should execute on the target computer. Transmissions to and actions on the target computer can be slow, so build in delays and split long strings. Beware of keyboard mappings (see below). An example script (targeting a French computer running Windows 7) is available in the download section of this post.
  6. Compile the Duckyscript to create the file uC_mousejack\src\attack.h
python attack_generator.py my_ducky_script_file

or, with non-default (US) keyboard mapping, where [COUNTRY] is replaced by a coutry code available in keymap.py. Doing this may is probably necessary when the target computer does not have a US QWERTY keyboard.
 
python attack_generator.py --layout=[COUNTRY] my_ducky_script_file
 
Intended for Python 2, but the python script can easily be adapted for Python 3, just add parentheses ‘()’ to the print statement at line 155 of attack_generator.py, like this:
 
print("CAN'T PROCESS... %s" % line)
 
Note that lines that start with REM are comments and produce a warning that you can ignore.
  1. Compile & upload Arduino sketch
  2. Move the mouse on the target computer. It may take some time before it is detected. When the attack is executed (check in the Serial Monitor, 115200 baud) but nothing happens on the target computer, than your receiver is not vulnerable but doesn't show it. Logitech C-U0010 dongles for instance do this and also my brandnew C-U0007.
The Duckyscript is integrated into the sketch and it will be executed as soon as it finds an opportunity. This may not be very practical so you could add some user interfacing to the sketch to control the execution of the function
 
launch_attack()
 

LOGITacker

This is powerful software featuring many options to explore mousejack vulnerabilities that runs on some nRF52-based dongles, notably on the cheap nRF52840-Dongle (PCA10059) from Nordic. You control it through a serial terminal.
  1. Download or clone the repository or simply get the HEX file for your dongle from the 'build' folder;
  2. Flash your dongle;
  3. Launch a serial terminal (9600n81);
  4. Use the wireless mouse or keyboard on the target computer until LOGITracker detects it;
  5. Start hacking, I mean, exploring.
Use the Tab key to auto-complete commands, it will make your life much easier.

Logitech Dongles

I have tried three different types of dongles with different ages. Mousejacking only worked for me with a unifying C-U0008 type that dates back to at least 2016. Two C-U0010 I tried (these are non-unifying dongles) were not receptive. My brandnew unifying C-U0007 dongle is not receptive either.

The Logitech forum has a post from someone claiming that the non-unifying C-U0010 dongle would be vulnerable too. However, this person does not provide any information about how he hacked it, and, frankly, I am not sure his claim is credible.

If you manage to hack a wireless mouse receiver, please provide enough details on how you did it so other people can try to reproduce the exploit.

Not Obsolete at All

Here is a presentation from Marcus Mengs the creater of LOGITacker. The video is on Vimeo and embedding may not work for you, depending on your geographic location.

Marcus Mengs - LOGITacker from BSides København on Vimeo.

Twitter: @clemens_elektor