Bastille security researcher Mark Newlin
Bastille security researcher Mark Newlin has discovered a flaw affecting millions of wireless mice and keyboards that lets hackers hijack PCsBastille

Security researchers have discovered a new vulnerability hitting multiple leading brands of wireless mice and keyboards that lets hackers hijack your PC from up to 100 yards away.

According to security researchers from Bastille, the MouseJack security vulnerability is found in the protocols that are used to help wireless devices and the USB wireless receivers attached to PCs communicate.

As these protocols are typically left unencrypted, the devices can be hijacked using another PC equipped with an off-the-shelf USB wireless dongle costing just $15 (£11). Once paired, the dongle can be programmed with just 15 lines of code to send out attack keystrokes that let the attacker pretend to be the owner of the victim's PC, in order to infiltrate the computer and any networks it is connected to, letting them steal sensitive data.

MouseJack has been proven to affect a vast number of leading mice and keyboard brands, including products by Microsoft, Amazon, Dell, Lenovo, HP, Logitech and Gigabyte. The researchers say it is also likely that even more brands could be affected by the bug too, that they haven't yet gotten around to testing.

Serious flaw could affect millions of computers around the world

Bastille says that as the attack is carried out at the keyboard level, maning that PCs, Mac and Linux machines are all vulnerable. Een non-Bluetooth wireless dongles are susceptible too.

The issue is so serious that the Computer Emergency Response Coordination Center (CERT-CC) of Carnegie Mellon University (which receives funding from US Homeland Security) has issued an advisory about the vulnerability.

"MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organisation's network," said Bastille's founder and CTO Chris Rouland.

"The MouseJack discovery validates our thesis that wireless Internet of Things [IoT] technology is already being rolled out in enterprises that don't realise they are using these protocols. As protocols are being developed so quickly, they have not been through sufficient security vetting. The top 10 wearables on the market have already been hacked and we expect millions more commercial and industrial devices are vulnerable to attack as well.

"MouseJack underscores the need for security across the entire RF spectrum as exploitation of IoT devices via radio frequencies is becoming increasingly popular among the hacker community."

Mice, keyboard vendors taking the issue seriously

Network World and Forbes contacted Logitech, Microsoft, Lenovo and Dell about the issue. In response, Lenovo has issued a security advisory and a firmware update for its Lenovo 500 wireless keyboards and mice, however this will only fix the problem in new products as the firmware can only be updated at the time of manufacture.

Meanwhile, Logitech said that it feels that because the attackers would need to be in such close physical proximity to the target's computer, it is unlikely that anyone will actually do this as it is so difficult, and that Logitech has "never been contacted by any consumer with such an issue". However, the firm said it had created a patch , though some Logitech forum users say that it doesn't work.

Microsoft says that it is currently looking into the problem and hopes to provide a resolution to the problem as soon as possible, while Dell said that customers who use the Dell KM714 keyboard and mouse products would be advised to contact Dell Tech Support so that customer service representatives can help them install the patch issued by Logitech.

"We're often so focused on network-based attacks that we forget these peripheral devices provide input to our computers as well. That wireless keyboard is another potential vector for attack. This type of attack is unlikely to be used for large-scale compromise. It's suitable for a targeted attack against an individual," Tripwire's Director of Security and Product Management Tim Erlin told IBTimes UK.

"The more successful we are at detecting the more standard, network-based attacks, the more we push the attackers to alternative methods. It's a positive to see researchers leading the way instead of criminals."