Billions of wireless keyboards and mice are vulnerable to hijacking with inexpensive radio transmitters, potentially letting hackers type arbitrary commands to computers hooked to the devices from up to 100 meters away, warns security firm Bastille.
The vulnerability, which the company has dubbed MouseJack, lets hackers impersonate certain non-Bluetooth wireless mice and keyboards from companies including Logitech, Dell, and Microsoft, according to Bastille. Hackers could then type commands on the computer as if they were the current user, potentially letting them delete files or install malware, the company says.
“Once infiltrated, which can be done with $15 worth of hardware and a few lines of code, a hacker has the ability to insert malware that could potentially lead to devastating breaches,” Bastille engineer Marc Newlin said in a statement Tuesday.
Many of the affected keyboards and mice don’t secure connections between the devices and the adaptors that plug into computers, according to Bastille. And some mouse adaptors are configured to receive keyboard commands as well, letting attackers type commands of their choice even into computers that don’t have wireless keyboards, the security firm says.
Logitech released a firmware update for its devices to repair the issue, though the company says it hasn’t heard of any reports of computers being hacked through the vulnerability.
“Bastille Security identified the vulnerability in a controlled, experimental environment,” according to Logitech. “The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack.”
Users with certain Dell products are also able to use the Logitech patch, according to a report in Forbes.
A Microsoft spokesperson said in an email that “Microsoft has a customer commitment to investigate reported security issues, and will provide resolution as soon as possible.”