This new proof-of-concept attack requires the attacker to be physically near vulnerable workstations and for the workstation to not be password protected while user is physically away. While the are impracticalities for most attacks, this may provide conduits to inject malware into a system to weaken other security controls

Countless wireless mice and keyboards can be hacked from 100 yards away leaving their host machines and the networks they are attached to open to malware, Bastille has discovered.  The problem, which is being called MouseJack, affects Amazon, Dell, Gigabyte, HP, Lenovo, Logitech and Microsoft products, the company says, and likely more vendors’ gear that they haven’t tested. Logitech alone shipped its billionth mouse in 2008, so the problem is widespread.

The weakness lies in the protocols used between the devices and the USB wireless receivers attached to host computers, says Mark Newlin, the Bastille researcher who discovered the problem. They are unencrypted, leaving the devices susceptible to keystroke injection attacks.

That can be done from a remote computer equipped with an off-the-shelf USB wireless dongle sending keystrokes, he says. He says it took between days and weeks to reverse-engineer the protocols himself so he could send the keystrokes.

The remote machine can be 100 yards away as long as it has direct line-of-sight with the target. That distance could be increased considerably by adding an auxiliary antenna, he says. Users of the machines would have to be away from them and logged in for the attack to work. If they were there they’d see the attack strokes being entered.

Dell notes that if customers use a password on their login screens and don’t walk away from their computers while logged in, the attack won’t work unless the attacker can break the password.