A vulnerability in most non-Bluetooth accessories leaves billions of PCs and millions of networks vulnerable.
Your wireless mouse or keyboard may be putting your personal data at risk of attack.
Cybersecurity firm Bastille this week revealed a major vulnerability in most non-Bluetooth devices (those connected to a PC via a USB dongle).
The flaw leaves billions of PCs and millions of networks open to a potential hack, or “MouseJack.” Using radio waves—and about $15 worth of hardware and a few lines of code—the attacker can insert keystrokes or malicious code and access sensitive information.
“MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network,” Bastille CTO Chris Rouland said in a statement.
And since the cyber assault happens at the keyboard or mouse level, no PC, Mac, or Linux machine is safe.
Affected manufacturers include Logitech, Dell, and Lenovo, though most non-Bluetooth wireless dongles are exposed, Bastille said.
“Wireless mice and keyboards are the most common accessories for PCs today, and we have found a way to take over billions of them,” said Marc Newlin, Bastille’s engineer responsible for the MouseJack discovery. “What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise.”
While some vendors can patch the flaw with a firmware update, many dongles were designed to not be updated.
Bastille suggests consumers check with their manufacturer to find out if a fix is available.
“To our knowledge, we have never been contacted by any consumer with such an issue,” Asif Ahsan, senior director of engineering at Logitech, told PCMag in a statement. “We have nonetheless taken Bastille Security’s work seriously and developed a firmware fix.”
All users should ensure their Logitech Options software is up to date.
Lenovo also developed firmware aimed at eliminating the vulnerability in the 500 Wireless Combo Keyboard and Mouse.
The only catch: You’ll have to replace your current set with a new one.
The exchange, a company spokesman said, will be processed for free. More details can be found online.
Dell, meanwhile, identified its Wireless Keyboard Mouse bundle (KM632 and KM714) as vulnerable, suggesting that consumers reach out to the company’s tech support for help. “In the meantime, customers can largely contain this vulnerability by activating the operating system’s lock screen when not using the system,” a Dell spokeswoman said.