IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Holy !@#$%^&*(
https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/
The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.

The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.

“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.

Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.

“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”

Ho. Lee. Shit.

I wonder if this is only via dongle or if the built-in bluetooth on my laptop is vulnerable? At least that can be updated, but still ...
--

Drew
New Bluetooth requires "associating" the device to the computer. Does it not?
Alex

"There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge."

-- Isaac Asimov
New You would think
You would be wrong.
Bastille said that an attacker could also force a new device to pair with an old dongle for the same type of access.
--

Drew
New That does not say what you think it says
Researchers at Bastille Networks today said that non-Bluetooth devices from seven manufacturers...


They're talking about pairing keyboards to the USB dongles, not straight to the laptop's BT. (And I think even that should only affect products like Logitech's Unifying receiver which does not have a hardware button to initiate pairing mode.)
New Ah, makes sense
--

Drew
New why you turn off usb access in work laptops, no cd access either, application control on
so one cannot install anything not blessed but you still cant stop people clicking on those prizes won emails
always look out for number one and don't step in number two
     Holy !@#$%^&*( - (drook) - (5)
         Bluetooth requires "associating" the device to the computer. Does it not? -NT - (a6l6e6x) - (3)
             You would think - (drook) - (2)
                 That does not say what you think it says - (scoenye) - (1)
                     Ah, makes sense -NT - (drook)
         why you turn off usb access in work laptops, no cd access either, application control on - (boxley)

Connection reset by peer.
41 ms