tl;dr Today, SySS published a proof-of-concept video demonstrating a mouse spoofing attack resulting in remote code execution due to insecure wireless mouse communication:
https://www.youtube.com/watch?v=PkR8EODee44 ----- Radioactive Mouse States the Obvious In the course of their research project about modern wireless desktop sets using AES encryption, Expert IT Security consultant Matthias Deeg and IT Security Consultant Gerhard Klostermeier noticed that the radio communication of all tested wireless mice so far was unencrypted and unauthenticated. The insight that radio communication of many wireless mice is insecure and can be exploited in specific attack scenarios is not new. The fact that this well-known security issue still exists in current wireless mice which are part of modern wireless desktop sets using AES encryption for keyboard data, however, brought SySS to raise the awareness for this security vulnerability and the associated security risks once again. By knowing the used mouse data protocol, an attacker can spoof mouse actions like mouse movements or mouse clicks. Thus, an attacker can remotely control the mouse pointer of a target system in an unauthorized way. Using trial & error and good educated guesses (heuristic method), mouse spoofing attacks can result in remote code execution on affected target systems. Matthias Deeg and Gerhard Klostermeier developed a proof-of-concept software tool named Radioactive Mouse for conducting automated mouse spoofing attacks. A proof-of-concept mouse spoofing attack resulting in remote code execution is demonstrated in the following video: https://www.youtube.com/watch?v=PkR8EODee44 Further information about vulnerabilities in affected wireless mice of different manufacturers like Cherry, Microsoft, Logitech, and Perixx are described in the following four security advisories: SYSS-2016-058: CHERRY B.UNLIMITED AES - Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-058.txt SYSS-2016-059: Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-059.txt SYSS-2016-060: M520 (Mouse of Wireless Combo MK520) - Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-060.txt SYSS-2016-061: PERIDUO-710W - Insufficient Verification of Data Authenticity (CWE-345), Mouse Spoofing Attack https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-061.txt Moreover, Matthias Deeg and Gerhard Klostermeier will present the results of their research project about modern wireless desktop sets at the following IT security conferences this autumn: Hack.lu, October 18-20, 2016, Luxembourg Hacktivity, October 21-22, 2016, Budapest Ruxcon, October 22-23, 2016, Melbourne DeepSec, November 10-11, 2016, Vienna ZeroNights, November 17-18, 2016, Moscow Currently, SySS recommends not using wireless mice without encryption and authentication in security-sensitive environments. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
