Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New mouse: side buttons and vulnerability


  • Please log in to reply
8 replies to this topic

#1 bcmo

bcmo

  • Members
  • 238 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 31 August 2016 - 05:55 PM

I'm looking to buy a new wireless mouse.

1) Regarding the ones that have buttons on the side, is it easy to accidentally press those buttons while regularly using the mouse which requires having fingers on the side near them?

2) Are there any companies whose wireless mice are still vulnerable to Mousejack? And are there companies that are known for not being vulnerable to it? (Like maybe TeckNet?)

 

Thank you.



BC AdBot (Login to Remove)

 


#2 Gorbulan

Gorbulan

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 31 August 2016 - 06:31 PM

1. Not in my experience. I tend towards "gaming" mice, but have used plenty of others. There are a lot of mice out there, some could have inconvenient side buttons. It depends on the size of your hand and the size of the mouse.

2. I believe Bluetooth mice are not susceptible to MouseJack since they require actual authentication to connect to a computer.



#3 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 AM

Posted 31 August 2016 - 06:33 PM

I'm looking to buy a new wireless mouse.
1) Regarding the ones that have buttons on the side, is it easy to accidentally press those buttons while regularly using the mouse which requires having fingers on the side near them?


I have had a number of Logitech mice (both wired and wireless...currently using a wireless with six side buttons) with side buttons and never had any issue with accidentally pressing those side buttons. For all such mice that I have used, the design is such that there is a natural place to place the thumb that is below the buttons. So, you actively have the raise your thumb up to press one of the buttons.

But, I suppose it would depend on the design. As I said, all the mice I have used with side buttons have had a natural place for the thumb to rest. While most mice with side buttons that I have seen have very similar designs to the Logitech mice I have used, it is possible that there are different designs that might make it slightly easier to accidentally press a side button. But even then, you still need your thumb to be "flailing" around with a decent amount of force as most side buttons require more force to push then your typical left or right click button.

2) Are there any companies whose wireless mice are still vulnerable to Mousejack? And are there companies that are known for not being vulnerable to it? (Like maybe TeckNet?)
 
Thank you.


I do not know of a definitive and exhaustive list of which mice are or are not vulnerable to it. The best list there is out there is this one:

https://www.bastille.net/affected-devices

This list only contains mice that they tested and where show to be vulnerable. They have a "disclaimer" at the bottom of the second table that basically says they could not buy and test every possible mouse out on the market, so the list is not definitive and exhaustive...i.e. there might be other vulnerable mice out there.

From what I understand, typically the higher end mice from companies like Logitech did have encryption. It was mainly lower end mice that were vulnerable. I would expect that many mice manufacturer's newer mice (i.e. designed and first released since the discovery of Mousejack) likely are designed to not have the vulnerability.

As I understand it, the best thing to look for is that the mouse is used AES encryption. And FWIW, I could find no indication on whether TeckNet mice did or did not use AES encryption, so I have no idea if they are vulnerable or not.

#4 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 AM

Posted 31 August 2016 - 06:33 PM

2. I believe Bluetooth mice are not susceptible to MouseJack since they require actual authentication to connect to a computer.


That is correct.

#5 bcmo

bcmo
  • Topic Starter

  • Members
  • 238 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 31 August 2016 - 07:48 PM

Thank you.

 

It's very strange that when I search Amazon for wireless mouse with AES encryption, only mice with keyboards come up, but not stand alone mice. The same applies for the Logitech mice in the Bastille page.

I wish there was a way to check for just stand alone mice that have AES encryption.



#6 Captain_Chicken

Captain_Chicken

  • BC Advisor
  • 1,369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 31 August 2016 - 08:19 PM

You won't need mouse encryption... you won't send a password via your mouse. The keyboard, however, should be encrypted.

Computer Collection:

Spoiler

Spoiler

Spoiler

Spoiler

#7 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 AM

Posted 31 August 2016 - 08:25 PM

Thank you.
 
It's very strange that when I search Amazon for wireless mouse with AES encryption, only mice with keyboards come up, but not stand alone mice. The same applies for the Logitech mice in the Bastille page.
I wish there was a way to check for just stand alone mice that have AES encryption.


In Logitech's case, it should be using AES encryption if it is using their "Advanced 2.4 GHz Technology" per this white paper:

http://www.logitech.com/images/pdf/roem/Logitech_Adv_24_Ghz_Whitepaper_BPG2009.pdf

That would seem to include this Logitech mouse with side buttons (cheapest option)...see "wireless system" item under specifications:

http://www.logitech.com/en-us/product/wireless-mouse-m510?crid=7

All the other more expensive "Unifying" non-gaming options also seem to use the "Advanced 2.4 GHz Technology". And none of their "straight" 2.4 GHz (i.e. non-unifying) mice have side buttons it seems.

And I will note that for Logitech's vulnerable devices, Logitech provided a firmware update as indicated by the link on the affected devices page (although the link is old and no longer works) and by this article:

https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/

#8 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 AM

Posted 31 August 2016 - 08:33 PM

You won't need mouse encryption... you won't send a password via your mouse. The keyboard, however, should be encrypted.


In theory, a non-encrypted mouse that is vulnerable to Mousejack can be remotely hacked to allow at a minimum control of the mouse. But, it can also be used to send other "keystroke" commands to the computer through the wireless adapter that would allow more serious issues (a mouse is essentially just another HID device to Windows, so you can send keyboard commands through a mouse USB wireless dongle...this is essentially what mice programmable buttons are doing). And this can be done up to 100 m away from their testing.

You can read more here: https://www.mousejack.com

In reality, it is highly unlikely your run of the mill "normal" user has anything to worry about unless they have some specific reason to be targeted (i.e. pissed someone off). It is more of a concern for business use IMHO, especially business use in sensitive areas.

#9 bcmo

bcmo
  • Topic Starter

  • Members
  • 238 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 31 August 2016 - 08:55 PM

Thank you all.

It's good to know that the Advanced 2.4 GHz Technology is AES encrypted.

 

In reality, it is highly unlikely your run of the mill "normal" user has anything to worry about...

Thanks. Good to know.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users