- RIP: The best free trial in all of streaming entertainment Today 2:19 PM
- Which ‘Florida Man’ are you? Today 1:06 PM
- Hundreds of millions of Facebook passwords were accessible to employees Today 12:55 PM
- ‘Bitch I’m Bella Thorne’ morphs into TikTok dyslexia meme Today 12:17 PM
- Marvel is auctioning props and costumes from Netflix’s ‘Defenders’ franchise Today 12:12 PM
- Net neutrality advocates plan online watch party for the ‘Save the Internet’ Act Today 12:01 PM
- Tim Cook turns his iPad meme into an AirPod meme Today 11:46 AM
- Auschwitz Memorial asks visitors to stop taking playful photos at Holocaust site Today 11:33 AM
- The best Korean beauty products for $15 or less Today 10:50 AM
- PewDiePie’s reign as the No. 1 YouTuber seems to be over Today 10:43 AM
- Amazon’s ‘Hanna’ miniseries offers a more conventional take on the teen spy thriller Today 10:42 AM
- Conservative writer tweets about bombing a university after women are hired Today 10:16 AM
- YouTube star Ice Poseidon reportedly raided by FBI Today 10:11 AM
- Devin Nunes is threatening to sue more people who mock him on Twitter Today 10:10 AM
- The Economist faces blowback for asking if trans people should be sterilized Today 9:50 AM
Hackers can steal your passwords via your wireless mouse, study finds
Nothing on your computer is actually safe from hackers, pretty much ever.
As a general rule of thumb, anything that transmits information to or from your computer is a way hackers can use to get your personal data. That includes things that you probably wouldn’t naturally think of as vulnerable to attack—your wireless mouse, for example.
Researchers at China‘s Southeast University recently published a study showing that, by tracking the movements of a wireless mouse, hackers can reconstruct passwords entered on wireless keyboards through a wireless Bluetooth mouse.
The initial jumping off point for the study was a 2009 statement by leading wireless mouse manufacturer Logitech that it wasn’t encrypting the Bluetooth data being transmitted between its mice and users’ computers because “the displacements of a mouse would not give any useful information to a hacker.”
The researchers, whose study is entitled Password Extraction via Reconstructed Wireless Mouse Trajectory would like to argue otherwise. “In this paper, we show mouse movement data leaks extremely sensitive information. The timings and positions of mouse movements are often used as an entropy source for random number and secret generation,” the authors wrote. “Leaked mouse movement data could reduce the entropy of seeding for such random number generation. From a reconstructed mouse trajectory on screen, an attacker may build a user’s computer usage profile, identify applications, or even obtain user passwords.”
“This problem is particularly serious given the conventional belief that mouse traffic can be unencrypted, lending users a false sense of security,” they added.
The researchers noted that there are a number of off-the-shelf tools a hacker could use to intercept data beamed between a wireless mouse and a computer. The study found that the cursor trajectory from a wireless mouse can be used in what’s called a prediction attack to reconstruct where a user clicked on an onscreen keyboard while entering a password after taking into account factors like the algorithms that determine mouse acceleration and packet loss between the two devices. In using this method, the researchers were able to determine user passwords with an accuracy rate of over 95 percent.
Virtual keyboards are relatively uncommon; however, many security professionals have argued they are more secure than hardware keyboards because they circumvent keylogging malware that records all of the buttons pressed on a computer’s keyboard and then secretly transmits that information to a third party.
One potential hurdle in finding passwords using this method is that the algorithms for mouse acceleration are often proprietary, meaning their source code isn’t public knowledge. The researchers were able to get around by taking the intercepted information and then running it on a computer using the same operating system as the target. On Apple‘s OSX 10.6.5 operating system, the team’s success rate was 44 percent. On Windows 7, they were able to determine passwords 100 percent of the time.
They used a Logitech MX 5500 Bluetooth for their experiments, but added that, “we actually investigated many other Bluetooth mice and found mice under the same brand share the same semantics.”
Representatives from Logitech did not respond to a request for comment; however, the researchers noted that Logitech isn’t the only company making wireless mice that doesn’t encrypt data coming from the devices. They found that no manufacturers—including Microsoft, Apple, and Lenovo—take steps to protect the security of information transmitted by their wireless mice.
“To the best of our knowledge, we believe that the aforesaid hidden vulnerability of Bluetooth mice was largely ignored,” the study’s authors write. “Hence, we intend to sound a warning bell to the industry that unencrypted communications over Bluetooth mice may be detrimental to user online privacy and security.”
Photo via endolith/Flickr (CC BY SA 2.0)
Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.