Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Chat about Linux in general
carum carvi
Level 5
Level 5
Posts: 897
Joined: Sun Apr 16, 2017 11:44 pm

Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by carum carvi » Wed Mar 27, 2019 5:53 pm

Research from 2016 showed everybody that any computer could be hacked in 10 seconds from 250 feet away (80 metres) via an UNencrypted wireless mouse.

I only recently read about that research from 2016. Have things changed since then? If not, are many mouses, and are therefore many Linux computers, still vulnerable to "mousejacking"?

I just came back from the store and all the mouses I saw didnt mention encryption at all. One manufacturer called the 2.4 Ghz band "reliable". But isnt that the biggest lie? Research from 2016 showed that many well known manufacturers of wireless mouses did not have encryption. Things dont seem to have changed.

Can anyone on this forum tell me the oposite is true and that ALL wireless mouses are indeed encrypted but manufacturers dont even bother telling it to us buyers? That seems rather odd to me, because encryption is a selling point and manufacturers DO mention encryption on SOME more expensive keyboards. But they dont mention it on the cheaper ones. And I havent read any package containing a wireless mouse that the wireless mouse was indeed encrypted.



Linux is as vulnerable as any ohter OS for "mousejacking".

https://www.mousejack.com/

https://www.bastille.net/research/vulne ... al-details

gm10
Level 18
Level 18
Posts: 8242
Joined: Thu Jun 21, 2018 5:11 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by gm10 » Wed Mar 27, 2019 6:25 pm

Breaking: Linux computers can be hacked in 10 seconds by typing on their keyboard.

About as relevant as this thread (or that vulnerability, for what it's worth).

User avatar
Pjotr
Level 21
Level 21
Posts: 12922
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by Pjotr » Wed Mar 27, 2019 7:45 pm

gm10 wrote:
Wed Mar 27, 2019 6:25 pm
Breaking: Linux computers can be hacked in 10 seconds by typing on their keyboard.
Ha! I dare you to hack mine in that way! :lol:
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
lsemmens
Level 8
Level 8
Posts: 2280
Joined: Wed Sep 10, 2014 9:07 pm
Location: Rural South Australia

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by lsemmens » Thu Mar 28, 2019 5:32 am

What's the point in hijacking a mouse from 80m away if you can't see the screen? What are you going to do? Move the cursor at random on a screen to annoy the user of said hijacked mouse?
Kernel: 4.15.0-46-generic x86_64 bits
Desktop: Cinnamon 3.8.9
Distro: Linux Mint 19 Tara

Laptop HP-ProBook-470-G2 8Gb RAM SSD
Server AMD Phenom 9650 - GEForce 9400GT 6Gb RAM
+ three other Mint machines
Out of my mind - please leave a message

gm10
Level 18
Level 18
Posts: 8242
Joined: Thu Jun 21, 2018 5:11 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by gm10 » Thu Mar 28, 2019 5:47 am

lsemmens wrote:
Thu Mar 28, 2019 5:32 am
What's the point in hijacking a mouse from 80m away if you can't see the screen? What are you going to do? Move the cursor at random on a screen to annoy the user of said hijacked mouse?
It said you could also insert keystrokes, so you can take over an Internet connected system while they're not watching by guessing at the terminal shortcut keys I suppose. But seriously, if somebody is targeting you like that from 80m away you've got bigger problems, anyway.

jchelpau
Level 3
Level 3
Posts: 100
Joined: Mon Mar 25, 2019 11:19 pm
Location: Australia
Contact:

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by jchelpau » Thu Mar 28, 2019 7:51 am

With unencrypted connections I'd be more concerned about wireless keylogging than hijacking.

User avatar
thx-1138
Level 7
Level 7
Posts: 1826
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by thx-1138 » Thu Mar 28, 2019 8:51 am

...No wireless peripherals here (for obvious security reasons) -
personally i'm searching for a linux-friendly laptop that comes with a CRT instead.

Edit: SOLVED.

RollyShed
Level 2
Level 2
Posts: 87
Joined: Sat Jan 12, 2019 8:58 pm
Location: South Island, New Zealand

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by RollyShed » Thu Mar 28, 2019 5:28 pm

Looks like I put this under tangled mice instead of here. OK, entanglement...

"wireless mouses, which can be hijacked from a distance of 250 feet (80-90metres) within 10 seconds."

OK, with a WiFi router and problems getting connection because of walls and such like getting in the way and having to get more powerful routers better placed in a house, can anyone give us relative signal strengths of router vs wireless mouse?

Has anyone on this thread got a wireless mouse and can they walk away from it and tell us the operational range?

Is the "250 feet" range correct?

How many people know about the hijacking method and how many in the world actually go around using the method?

I am querying actual vs theoretical events, any percentage of events vs users?

carum carvi
Level 5
Level 5
Posts: 897
Joined: Sun Apr 16, 2017 11:44 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by carum carvi » Fri Mar 29, 2019 7:37 am

I have yet to read any founded arguments against my question about this perceived security problem. I really think this could still be a serious problem. But I thought this forum would be a good place to find counter arguments, which I havent read sofar...

A rootkit can be installed in 10 seconds IF a person has an unencrypted mouse. That was tested and found to be true for many mouses in 2016. Many well known mouses. Since then I havent read that anything has changed regarding wireless mouses. With that I mean to say that I still dont see mentioned on the packages of wireless mouses that they are encrypted.

The equipment with which a wireless mouse can be hijacked and with the entire computer can get infected, that equipment can be bought for a couple of dollars. It wasnt particular difficult to construct either if I can believe the research done in 2016. (See the links above)

I really would like to know if anyone has read any evidence that this problem with wireless mouses has been tackled by the industry or not. My guess is, it is still a security problem.

I have tested myself that my wireless mouse reaches into the street! Anyone who parks there with such a machine could possibly hack into my computer. Not just the mouse gets hijacked the entire computer. And Linux is ofcourse just as vulnerable.

jchelpau
Level 3
Level 3
Posts: 100
Joined: Mon Mar 25, 2019 11:19 pm
Location: Australia
Contact:

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by jchelpau » Fri Mar 29, 2019 8:00 am

Sounds like a security problem, but there's not much OSes can do about it. If you're really worried you could use Bluetooth instead.

gm10
Level 18
Level 18
Posts: 8242
Joined: Thu Jun 21, 2018 5:11 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by gm10 » Fri Mar 29, 2019 8:36 am

carum carvi wrote:
Fri Mar 29, 2019 7:37 am
But I thought this forum would be a good place to find counter arguments, which I havent read sofar...
Why? It's plain as day that unsecured remote access poses a security risk, no sane person is going to argue against that. That's nothing new, nothing Linux-specific and nothing even wireless mouse specific.

I'm not using unsecured wireless devices, even my smartphone is running iptables.

User avatar
AZgl1500
Level 10
Level 10
Posts: 3437
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by AZgl1500 » Fri Mar 29, 2019 9:01 am

what's the point?

there isn't anywhere to stand and try to hack my mouse within 250 feet....

I own all the land around me for 350 feet at least....
and my critters will ensure that you can't stand still long enough to try and hack me....

and to what point? they don't know if I am using Windex or Linex or 6502 machine code?

User avatar
thx-1138
Level 7
Level 7
Posts: 1826
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by thx-1138 » Fri Mar 29, 2019 9:18 am

carum carvi wrote:
Fri Mar 29, 2019 7:37 am
But I thought this forum would be a good place to find counter arguments, which I havent read sofar...
...i provided a counter argument above - since they can read your LCD itself...
why would you worry about the petty wireless mouse? /meow :wink:

Although to be honest, their algo is somewhat flakey & needs some serious re-writing me thinks.
I pentested it on my neighbor out of curiosity - yet instead of getting zebras on the screen as the researchers claimed above,
somehow i ended up with a picture of some scantily clad ladies though?... :roll:
gm10 wrote:
Fri Mar 29, 2019 8:36 am
...even my smartphone is running iptables.
...which in turn also means that the LM repositories are as much secure as it gets 8) :mrgreen:

gm10
Level 18
Level 18
Posts: 8242
Joined: Thu Jun 21, 2018 5:11 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by gm10 » Fri Mar 29, 2019 9:21 am

thx-1138 wrote:
Fri Mar 29, 2019 9:18 am
gm10 wrote:
Fri Mar 29, 2019 8:36 am
...even my smartphone is running iptables.
...which in turn also means that the LM repositories are as much secure as it gets 8) :mrgreen:
I knew I was making too much sense today. Happy Friday! :D

User avatar
murray
Level 4
Level 4
Posts: 272
Joined: Tue Nov 27, 2018 4:22 pm
Location: Auckland, New Zealand

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by murray » Sat Mar 30, 2019 5:01 pm

Well it looks like I'm safe from mouse/keyboard wireless hacking. I've got a Logitech mouse and keyboard that use their Unifying dongle. I found mention on Logitech's website:
Logitech Advanced 2.4 GHz is integrated into all compatible devices, and provides 128-bit AES encryption between keyboard and receiver.
So it looks like Logitech encrypt their mouse/keyboard transmissions.

I also found a page on Logitech's website where they specifically respond to the Bastille research: https://community.logitech.com/s/questi ... h-findings They say that the research was done in a lab under ideal circumstances and that to do it in the real world the hacker would need to be physically close to the target. They've also issued firmware updates for a few of their devices that weren't secure.
Running Mint 19.1 Cinnamon on an Intel NUC8i5BEH with 16GB RAM and 500GB SSD

carum carvi
Level 5
Level 5
Posts: 897
Joined: Sun Apr 16, 2017 11:44 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by carum carvi » Sat May 04, 2019 5:04 am

thx-1138 wrote:
Fri Mar 29, 2019 9:18 am
i provided a counter argument above - since they can read your LCD itself...
why would you worry about the petty wireless mouse?
Can one install a rootkit within 10 seconds with the above remote eaves dropping technique? One can, with a wireless mouse. 250 ft in a city area could scan hundreds of computers simultaneously AND install a rootkit.

I am impressed ( in a frightening way) by your mentioning this way of eaves dropping by using a microphone. But I havent read that one can read passwords being entered whatsoever, by using that microphone/ LCD screen snooping technique. With a rootkit EVERYTHING is controlled. With the ability to look at somebodies elses screen one still cant see any passwords being entered. Or am I wrong about that assumption?


gm10 wrote:
Fri Mar 29, 2019 8:36 am
It's plain as day that unsecured remote access poses a security risk, no sane person is going to argue against that. That's nothing new, nothing Linux-specific and nothing even wireless mouse specific.
Gm10, I learned a lot about security and privacy from your comments on this forum. My point is though that I did not know about that possible security risk with wireless mouses. My point is that many people still think that when a combination of keyboard AND mouse is being sold togehter people assume keyboard and mouse are always BOTH being encrypted. While I beg to question the validity of that assumption...

Another forumuser mentioned that he checked out Logitech's reaction to this Bastille investigation and he read that his keyboard was encrypted. But THAT is exactly my point. The wireless Logitech keyboard might be encrypted, BUT I fear the wireless mouse, (that is sold alongside the keyboard), often is NOT encrypted. Many dont fear the wireless mouse as a security issue whatsoever, because they read that the keyboard communication is encrypted, while the mouse tranmission might still NOT be encrypted.

Judging by the reactions on this forum many still dont fear the wireless mouse as a serious security issue. I think that carefree attitude towards the security of wireless mouses is astounding, regarding the Bastille evidence proving that the wireless mouse is THE biggest (unknown) hardware security issue.

jchelpau
Level 3
Level 3
Posts: 100
Joined: Mon Mar 25, 2019 11:19 pm
Location: Australia
Contact:

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by jchelpau » Sat May 04, 2019 5:52 am

carum carvi wrote:
Sat May 04, 2019 5:04 am
Can one install a rootkit within 10 seconds with the above remote eaves dropping technique? One can, with a wireless mouse. 250 ft in a city area could scan hundreds of computers simultaneously AND install a rootkit.
Not without the user entering the administrator password.

gm10
Level 18
Level 18
Posts: 8242
Joined: Thu Jun 21, 2018 5:11 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by gm10 » Sat May 04, 2019 6:23 am

carum carvi wrote:
Sat May 04, 2019 5:04 am
My point is that many people still think that when a combination of keyboard AND mouse is being sold togehter people assume keyboard and mouse are always BOTH being encrypted.
That statement about how people think actually surprises me. My guess would be that many people don't know a thing about encryption and wouldn't assume anything like that unless it's specifically mentioned. And even for the more technical minded: It's only since rather recently that web browsers have been pushing for transport layer encryption being the new default, but until then the default for everything was (and for most things still is) to not be encrypted unless otherwise stated.

sgtor
Level 4
Level 4
Posts: 328
Joined: Sat May 13, 2017 9:39 pm

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by sgtor » Sat May 04, 2019 7:23 am

It's probably something you don't need to worry about, I agree with gm10 if someone is targeting you that way you've got bigger problems. And also if the people targeting you that way are that skilled they are going to get into your computer somehow no matter what you do to prevent it. Even air-gapped computers are vulnerable under the right conditions.

Are you a spy? Or the CEO of a company with super valuable proprietary information? If not then you probably don't have anything to worry about.

Don't get me wrong I believe in the paranoid security model when it is appropriate like the two situations I mentioned but you have to also consider other factors like your actual target profile. I think the standard security that everyone should follow is cautious not full on paranoid, question everything and secure yourself as best you can.

I have to give two examples here that are unrelated to computer security.
These days criminals have the ability to take a picture of a key and use that picture to make a copy of the key. So who do you think they are going to target with that skill? Someone who drives a rolls royce or a bentley I would think. Yet if you see someone skulking around looking out of place in a parking lot you should be aware enough of your surroundings to notice that but they are probably not trying to take a picture of your car key unless you are driving an expensive car. So in this case most people have a low target profile for that particular exploit.

The second example is these guys inserting those thin card readers into bank machines and grocery checkouts. Obviously in this case almost everyone has a high target profile because most people use bank machines and checkouts. In this case I am very cautious just as I am when I enter my pin number. See the difference?

The point is this world full of predators looking to exploit people and their computers but you have to be realistic about what your target profile is and use the right level of caution for each situation.

pbear
Level 6
Level 6
Posts: 1497
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Can all Linux computers still be hacked in 10 seconds via "mousejacking"?

Post by pbear » Tue May 07, 2019 6:14 pm

carum carvi wrote:
Sat May 04, 2019 5:04 am
Judging by the reactions on this forum many still dont fear the wireless mouse as a serious security issue. I think that carefree attitude towards the security of wireless mouses is astounding, regarding the Bastille evidence proving that the wireless mouse is THE biggest (unknown) hardware security issue.
How serious can it be when no one has observed an actual exploit in the wild, three years later? Also, as you researched this before posting, surely you noticed both Microsoft and Logitech issued patches shortly after the vulnerability was found. (Number 2 may have or may not explain Number 1.) And if none of that nor the comments in the thread make you comfortable, the obvious solution is to use a wired mouse (or trackball).
Time flies like an arrow. Fruit flies like a banana.
If your problem has been solved, please edit the thread title.

Post Reply

Return to “Chat about Linux”