As a general rule of thumb, anything that transmits information to or from your computer is a way hackers can use to get your personal data. That includes things that you probably wouldn’t naturally think of as vulnerable to attack—your wireless mouse, for example.
Researchers at China‘s Southeast University recently published a study showing that, by tracking the movements of a wireless mouse, hackers can reconstruct passwords entered on wireless keyboards through a wireless Bluetooth mouse.
The initial jumping off point for the study was a 2009 statement by leading wireless mouse manufacturer Logitech that it wasn’t encrypting the Bluetooth data being transmitted between its mice and users’ computers because “the displacements of a mouse would not give any useful information to a hacker.”
The researchers, whose study is entitled Password Extraction via Reconstructed Wireless Mouse Trajectory would like to argue otherwise. “In this paper, we show mouse movement data leaks extremely sensitive information. The timings and positions of mouse movements are often used as an entropy source for random number and secret generation,” the authors wrote. “Leaked mouse movement data could reduce the entropy of seeding for such random number generation. From a reconstructed mouse trajectory on screen, an attacker may build a user’s computer usage profile, identify applications, or even obtain user passwords.”
“This problem is particularly serious given the conventional belief that mouse traffic can be unencrypted, lending users a false sense of security,” they added.
The researchers noted that there are a number of off-the-shelf tools a hacker could use to intercept data beamed between a wireless mouse and a computer. The study found that the cursor trajectory from a wireless mouse can be used in what’s called a prediction attack to reconstruct where a user clicked on an onscreen keyboard while entering a password after taking into account factors like the algorithms that determine mouse acceleration and packet loss between the two devices. In using this method, the researchers were able to determine user passwords with an accuracy rate of over 95 percent.
Virtual keyboards are relatively uncommon; however, many security professionals have argued they are more secure than hardware keyboards because they circumvent keylogging malware that records all of the buttons pressed on a computer’s keyboard and then secretly transmits that information to a third party.
Cybersecurity firm Kaspery’s antivirus software, for example, gives users the option of inputting passwords with a software keyboard for this very reason—as does international banking giant HSBC.
One potential hurdle in finding passwords using this method is that the algorithms for mouse acceleration are often proprietary, meaning their source code isn’t public knowledge. The researchers were able to get around by taking the intercepted information and then running it on a computer using the same operating system as the target. On Apple‘s OSX 10.6.5 operating system, the team’s success rate was 44 percent. On Windows 7, they were able to determine passwords 100 percent of the time.
They used a Logitech MX 5500 Bluetooth for their experiments, but added that, “we actually investigated many other Bluetooth mice and found mice under the same brand share the same semantics.”
Representatives from Logitech did not respond to a request for comment; however, the researchers noted that Logitech isn’t the only company making wireless mice that doesn’t encrypt data coming from the devices. They found that no manufacturers—including Microsoft, Apple, and Lenovo—take steps to protect the security of information transmitted by their wireless mice.
“To the best of our knowledge, we believe that the aforesaid hidden vulnerability of Bluetooth mice was largely ignored,” the study’s authors write. “Hence, we intend to sound a warning bell to the industry that unencrypted communications over Bluetooth mice may be detrimental to user online privacy and security.”
Photo via endolith/Flickr (CC BY SA 2.0)