- ‘Star Trek: Discovery’ delivers a powerfully political episode Thursday 8:30 PM
- Bowser is taking over Nintendo—and the memes make themselves Thursday 7:02 PM
- California aims to strengthen data breach notification law Thursday 5:37 PM
- Feds say college student operated drug business through gaming app Thursday 4:36 PM
- Trump is again using old videos to claim his border wall is ‘under construction Thursday 4:05 PM
- Laura Loomer led a second protest at Twitter yesterday Thursday 3:37 PM
- The eyes have it in these ‘Alita: Battle Angel’ memes Thursday 2:13 PM
- Facebook let advertisers target users interested in infamous Nazis Thursday 1:58 PM
- Dem senator promises to put net neutrality on the ‘political hot seat’ in coming months Thursday 1:28 PM
- Someone figured out that Toothless from ‘How to Train Your Dragon’ looks just like Bulbasaur Thursday 12:44 PM
- Disturbing Snapchat video shows 17-year-old throwing dog on trampoline Thursday 12:16 PM
- How to watch the new Bon Appetit channel for free Thursday 12:03 PM
- Eminem disses Netflix for canceling ‘The Punisher’ Thursday 11:50 AM
- Florida prisons sued for depriving inmates of music they paid for Thursday 11:36 AM
- Chris Hemsworth will become Hulk Hogan for Netflix biopic Thursday 11:29 AM
Hackers can steal your passwords via your wireless mouse, study finds
Nothing on your computer is actually safe from hackers, pretty much ever.
As a general rule of thumb, anything that transmits information to or from your computer is a way hackers can use to get your personal data. That includes things that you probably wouldn’t naturally think of as vulnerable to attack—your wireless mouse, for example.
Researchers at China‘s Southeast University recently published a study showing that, by tracking the movements of a wireless mouse, hackers can reconstruct passwords entered on wireless keyboards through a wireless Bluetooth mouse.
The initial jumping off point for the study was a 2009 statement by leading wireless mouse manufacturer Logitech that it wasn’t encrypting the Bluetooth data being transmitted between its mice and users’ computers because “the displacements of a mouse would not give any useful information to a hacker.”
The researchers, whose study is entitled Password Extraction via Reconstructed Wireless Mouse Trajectory would like to argue otherwise. “In this paper, we show mouse movement data leaks extremely sensitive information. The timings and positions of mouse movements are often used as an entropy source for random number and secret generation,” the authors wrote. “Leaked mouse movement data could reduce the entropy of seeding for such random number generation. From a reconstructed mouse trajectory on screen, an attacker may build a user’s computer usage profile, identify applications, or even obtain user passwords.”
“This problem is particularly serious given the conventional belief that mouse traffic can be unencrypted, lending users a false sense of security,” they added.
The researchers noted that there are a number of off-the-shelf tools a hacker could use to intercept data beamed between a wireless mouse and a computer. The study found that the cursor trajectory from a wireless mouse can be used in what’s called a prediction attack to reconstruct where a user clicked on an onscreen keyboard while entering a password after taking into account factors like the algorithms that determine mouse acceleration and packet loss between the two devices. In using this method, the researchers were able to determine user passwords with an accuracy rate of over 95 percent.
Virtual keyboards are relatively uncommon; however, many security professionals have argued they are more secure than hardware keyboards because they circumvent keylogging malware that records all of the buttons pressed on a computer’s keyboard and then secretly transmits that information to a third party.
One potential hurdle in finding passwords using this method is that the algorithms for mouse acceleration are often proprietary, meaning their source code isn’t public knowledge. The researchers were able to get around by taking the intercepted information and then running it on a computer using the same operating system as the target. On Apple‘s OSX 10.6.5 operating system, the team’s success rate was 44 percent. On Windows 7, they were able to determine passwords 100 percent of the time.
They used a Logitech MX 5500 Bluetooth for their experiments, but added that, “we actually investigated many other Bluetooth mice and found mice under the same brand share the same semantics.”
Representatives from Logitech did not respond to a request for comment; however, the researchers noted that Logitech isn’t the only company making wireless mice that doesn’t encrypt data coming from the devices. They found that no manufacturers—including Microsoft, Apple, and Lenovo—take steps to protect the security of information transmitted by their wireless mice.
“To the best of our knowledge, we believe that the aforesaid hidden vulnerability of Bluetooth mice was largely ignored,” the study’s authors write. “Hence, we intend to sound a warning bell to the industry that unencrypted communications over Bluetooth mice may be detrimental to user online privacy and security.”
Photo via endolith/Flickr (CC BY SA 2.0)
Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.