Last week, Microsoft issued an optional security alert relating to peripherals and specifically mice. Until the patch is implemented, Microsoft said, the peripheral could receive plain English—aka QWERTY—key packets in keystroke communications issued from receiving USB wireless dongles to the RP addresses of wireless mouse devices. This is a fine way for cyberthieves to hijack wireless mice and execute malicious commands. The reason why it's worthy of a security alert from Microsoft is clear. The fact that Microsoft felt it only merited an optional (as opposed to "important" or "recommended) alert and the limited nature of the patch, however, is the concern.
According to a CSO Online story, "the attack, dubbed MouseJack, affects wireless mice and keyboards from many manufacturers, including Microsoft. It was discovered and presented earlier this year by security researchers from IoT security firm Bastille Networks. MouseJack exploits several vulnerabilities in the communications protocols between the USB dongles plugged into computers and the wireless mice and keyboards that are paired with them. These flaws allow attackers to spoof a wireless mouse from (as many as) 100 meters away and send rogue keystrokes instead of clicks to a computer."
As you can imagine, this gets worse. The story quotes one of the Bastille researchers pointing out that Microsoft's approach was far too limited and that many MouseJack attacks will still succeed even after the patch is installed.
That researcher, Marc Newlin, tweeted: " Windows users are still vulnerable to #MouseJack attacks via @microsoft mice after the 3152550 patch. Where's the old MSRC??" The story quoted Newlin as saying "Injection still works against MS Sculpt Ergonomic Mouse and non-MS mice."
In the Twitter exchange, another security researcher posted "I warned @microsoft against non-Bluetooth wireless peripherals YEARS ago. No one listened. Lo & behold." Newlin posted "Proprietary wireless protocols are definitely a potentially risky path to go down" and "battery life concerns aside, Bluetooth does crypto well" and "It's interesting how many vendors implemented firmware vulnerable to keystroke injection. Hopefully this has been a wake-up call" and "What's frustrating is there was always a secure industry standard protocol available! Never any need to go proprietary."
The frightening reality is that all of Newlin's concerns are on-target. Microsoft, yet again, is opting for convenience—and perceived customer preferences—over security. But convenience is not at issue when Redmond opted for proprietary risky rather than existing secure standard. That has nothing to do with convenience nor with perceived customer preference. That is solely about proprietary lockin.
There is a broader concern, though. Put all of this together—proprietary when not needed, a patch that doesn’t fully fix the issue, labeling said patch as "optional"— and one could conclude that Microsoft isn’t taking peripheral security seriously enough. Sadly, in that regard, they are far from alone.
If security systems are operating properly, most badguy-initiated actions can be detected and blocked. Not all, but most. That leaves two areas ripe as attack methods. The first is tricking the user into taking the action desired by the cyberthief, as in revealing passwords. The second, though, is having the naughty command sent from a trusted device—such as an attached peripheral.
Consider your keyboard. If you want to use your keyboard and type a command into your CPU that turns control of it to some guy in Eastern Europe or activates RegEdit and makes some highly ill-advised changes to your registry, there are few security programs that will stop you. In effect, that is what MouseJack does. Because the commands appear to be—and, in reality, actually are—coming from your mouse or keyboard, few security programs would see any reason to block it.
That's why protection of peripherals—especially mice and keyboards—needs to be a top priority, which is clearly not the path Microsoft has chosen. Why especially mice and keyboards? If your printer, scanner or headset started to give highly-sensitive commands to your system, many security problems could see that as sufficiently aberrant behavior to merit flagging and possibly blocking. But the very nature of the keyboard and mouse makes them far more dangerous. After all, they are supposed to issue OS commands.