Is there a way to sniff a "mousejack" attack?

Question

I'm sure a lot of you are aware about the vulnerability in unencrypted wireless mouses. If not, here's a website reporting on the vulnerability: https://www.mousejack.com/

It sounds like the best way to prevent an attack as a consumer is to either not use a wireless mouse or make sure that the mouse you're using/buying has had this vulnerability corrected. However, wireless mouses are so cheap that I'm sure many (including myself) have one from manufacturers that haven't really responded (yet?) to this vulnerability.

Since the communication is unencrypted, the attack I assume to be unencrypted as well, so I think that it would be pretty easy to "sniff" out this attack at a public space. As a consumer however, I don't have the skillz to write out my code and use my existing wireless mouse dongle to sniff out attacks.

So first question is, is there already a way to do this? (use your wireless dongle communication to alert of an attack)? I saw that there's a program to find vulnerable dongles with an antenna, but not to find an attacker actively trying to exploit it: https://github.com/rfstorm/mousejack

Second question, do you know other ways to prevent/discover a mousejack attack on your computer/somebody else's in a public space?

Answer 1

If I understand this issue correctly, mouse movements are sent unencrypted by design, and keystrokes are sent encrypted by design, however the receiver also accepts unencrypted (and unauthenticated) keystrokes as well, allowing an attacker to inject them?

Regarding detecting unencrypted mouse movements, I would say there is no easy way to detect such an attack. It simply appears to your computer as regular instructions for your mouse. Imagine you were blind, you could not move or speak, and the only sense you had was hearing. Now it gets worse. Not only are you only able to hear, but you aren't able to differentiate between differentiate between voices. That's what a wireless mouse receiver is like. It has no way of detecting such an attack because the fake signal is identical, for all intents and purposes, to the legitimate signal.

As for unencrypted keystrokes, that's a different story. Because keystrokes are not meant to be unencrypted, the receipt of an unencrypted keystroke is an anomaly. If you connect a Bluetooth device to your computer which can capture arbitrary Bluetooth packets, you should be able to detect when unencrypted keystrokes are transmitted. You would have to find out what the format is, how to detect when the packet is unencrypted, and then how to detect if the payload message contains a keystroke. If it is, then you should have your computer immediately disconnect the keyboard and mouse device and alert you so you can take action. I know of no way to already do this, but there are ample resources to learn how to.

Note that Bluetooth is historically not the most secure protocol, so even if this "vulnerability" is fixed, using a Bluetooth connected mouse and keyboard is rather foolish. PS/2 is low power, entirely interrupt-based so the CPU isn't being woken up thousands of times a second. USB is cheap, the cords reach as long as you want, and if you know how to manage your wires, they will never get in the way. Using wireless peripherals is asking for trouble.

Answer 2

Definitively detecting these attacks will require a hardware radio receiver, like an rtl-sdr device. You can make some guesses based on how you think a remote mouse would have to act, but they're only guesses. (And you'd have false positives.) And you'd have to write all this code, because it doesn't exist.

You can spend a lot of effort worrying and trying to figure out if there's a mousejacking taking place, and you still risk missing the evidence of the attack.

Or you can simply replace your wireless mouse with a Bluetooth mouse, which is much harder to exploit.