- Fans call out Madonna for edited Eurovision video Tuesday 9:36 PM
- Partnered Twitch streamer temporarily banned for airing troll’s racist message Tuesday 8:45 PM
- Reddit theory says fans are wrong about who won ‘Game of Thrones’ Tuesday 6:52 PM
- Elon Musk hires ‘absolute unit’ sheep meme creator to be Tesla’s social media manager Tuesday 6:12 PM
- Jason Momoa stands by his Khaleesi after the ‘Game of Thrones’ finale Tuesday 4:05 PM
- Airbnb, 23andMe partner for creepy heritage travel recommendations Tuesday 3:26 PM
- Rep. Katie Porter goes viral again for trouncing Ben Carson (updated) Tuesday 3:26 PM
- This deepfake takes Bill Hader’s Schwarzenegger impression to the next level Tuesday 2:58 PM
- Wanda Sykes rails against Trump and offers much-needed perspective in ‘Not Normal’ Tuesday 2:41 PM
- Man arrested after allegedly threatening to shoot YouTube employees Tuesday 2:13 PM
- Some House Dems are backing away from the Save the Internet Act Tuesday 1:40 PM
- Thousands sign petition calling for Danny DeVito to play Wolverine Tuesday 1:02 PM
- Jason Mitchell fired from ‘Desperados’ and ‘The Chi’ after misconduct allegations Tuesday 12:36 PM
- Police raid Black woman’s house after white neighbor complains about loud Malcolm X speeches Tuesday 12:20 PM
- ‘Transfixed’ says it’s a ‘breakthrough’ series, but it still fetishizes trans bodies Tuesday 11:04 AM
Hackers can steal your passwords via your wireless mouse, study finds
Nothing on your computer is actually safe from hackers, pretty much ever.
As a general rule of thumb, anything that transmits information to or from your computer is a way hackers can use to get your personal data. That includes things that you probably wouldn’t naturally think of as vulnerable to attack—your wireless mouse, for example.
Researchers at China‘s Southeast University recently published a study showing that, by tracking the movements of a wireless mouse, hackers can reconstruct passwords entered on wireless keyboards through a wireless Bluetooth mouse.
The initial jumping off point for the study was a 2009 statement by leading wireless mouse manufacturer Logitech that it wasn’t encrypting the Bluetooth data being transmitted between its mice and users’ computers because “the displacements of a mouse would not give any useful information to a hacker.”
The researchers, whose study is entitled Password Extraction via Reconstructed Wireless Mouse Trajectory would like to argue otherwise. “In this paper, we show mouse movement data leaks extremely sensitive information. The timings and positions of mouse movements are often used as an entropy source for random number and secret generation,” the authors wrote. “Leaked mouse movement data could reduce the entropy of seeding for such random number generation. From a reconstructed mouse trajectory on screen, an attacker may build a user’s computer usage profile, identify applications, or even obtain user passwords.”
“This problem is particularly serious given the conventional belief that mouse traffic can be unencrypted, lending users a false sense of security,” they added.
The researchers noted that there are a number of off-the-shelf tools a hacker could use to intercept data beamed between a wireless mouse and a computer. The study found that the cursor trajectory from a wireless mouse can be used in what’s called a prediction attack to reconstruct where a user clicked on an onscreen keyboard while entering a password after taking into account factors like the algorithms that determine mouse acceleration and packet loss between the two devices. In using this method, the researchers were able to determine user passwords with an accuracy rate of over 95 percent.
Virtual keyboards are relatively uncommon; however, many security professionals have argued they are more secure than hardware keyboards because they circumvent keylogging malware that records all of the buttons pressed on a computer’s keyboard and then secretly transmits that information to a third party.
One potential hurdle in finding passwords using this method is that the algorithms for mouse acceleration are often proprietary, meaning their source code isn’t public knowledge. The researchers were able to get around by taking the intercepted information and then running it on a computer using the same operating system as the target. On Apple‘s OSX 10.6.5 operating system, the team’s success rate was 44 percent. On Windows 7, they were able to determine passwords 100 percent of the time.
They used a Logitech MX 5500 Bluetooth for their experiments, but added that, “we actually investigated many other Bluetooth mice and found mice under the same brand share the same semantics.”
Representatives from Logitech did not respond to a request for comment; however, the researchers noted that Logitech isn’t the only company making wireless mice that doesn’t encrypt data coming from the devices. They found that no manufacturers—including Microsoft, Apple, and Lenovo—take steps to protect the security of information transmitted by their wireless mice.
“To the best of our knowledge, we believe that the aforesaid hidden vulnerability of Bluetooth mice was largely ignored,” the study’s authors write. “Hence, we intend to sound a warning bell to the industry that unencrypted communications over Bluetooth mice may be detrimental to user online privacy and security.”
Photo via endolith/Flickr (CC BY SA 2.0)
Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.