MouseJack is the name given to a collection of security vulnerabilities affecting non-Bluetooth wireless mice and keyboards. Affected devices include those from vendors such as Dell, HP, Logitech and Microsoft. Marc Newlin, an engineer at Bastille Networks, has published a report demonstrating that these wireless mice and keyboards can be compromised by an attacker from as far as 100 metres away using a cheap USB device. An attacker could use the MouseJack vulnerability to enter commands into a victim’s computer.

Typically wireless devices such as mice and keyboards transmit commands through radio frequencies into a USB dongle plugged into the user’s computer. When a user presses a key on their keyboard or moves the mouse pointer, the information is sent through the radio frequencies to the USB dongle, which communicates with the computer indicating a keystroke or mouse click. The devices affected by MouseJack do not encrypt these wireless transmissions. As a consequence, an attacker can mimic the radio frequencies of such a mouse or keyboard and transmit their own commands to the victim’s computer.  

The researcher used a modified Nintendo controller to carry out the research. According to Newlin, “The NES controller proved to be an excellent platform for learning about the behavior of mouse communication protocols.” Additionally, they were able to use a USB dongle to monitor USB traffic between wireless devices and computers. The MouseJack vulnerabilities fall into three categories: injecting keystrokes to type arbitrary commands on a victim’s computer through a wireless mouse, injecting keystrokes into the computer by spoofing the victim’s keyboard, and forcibly pairing their unauthorized device with a computer.

Unfortunately, according to Newlin, “For nonupdateable devices, which represent the majority of those tested, there is no mechanism to secure a vulnerable device short of unplugging the USB dongle from the computer.” You can check if your wireless mouse or keyboard is affected by going here.