Internet safety usually focuses on avoiding shady websites and clicking on dubious commercials, but a wireless keyboard or a mouse can be a security liability, as well.
Researchers from Bastille, an Internet of Things security firm, tested out wireless peripherals from seven major manufacturers and reached the conclusion that "mousejacking" is not only real, but also quite dangerous.
Simply put, hackers can use an antenna to infiltrate a computer that uses a wireless keyboard. Once connected, the evildoers can input whatever keystrokes they fancy. This is particularly perilous as a sequence of simple keyboard shortcuts can open a browser, navigate to a website, download and install malware or wipe a hard drive.
Hackers who want to start malicious actions against a computer would only need a simple antenna priced at $60 that can be ordered from Amazon.
Among the most vulnerable targets are the air-gapped computers. These are devices that have no physical connection to any network, an action that is supposed to make them safer. In spite of having no Internet connection, these computers could be operated (and hacked) via a wireless mouse or keyboard.
Bastille experts told Wired that these hackers have to meet some conditions to deploy this evil scheme.
First off, they need to be within a few hundred yards from the victim, but even that might not be enough.
"Injecting keystrokes on a target computer, of course, isn't in itself a full compromise of the machine. The hacker would only have the same privileges as the person using the computer and wouldn't necessarily be able to type his or her passwords," Bastille experts say.
What an attacker could do is to simply download malware and assume control of the computer. For this to work, the PC should already be unlocked and the attacker should have a clear line of sight to the victim's screen.
The even better news is that operating your computer via a wired mouse and keyboard is all it takes to be safe.
Researchers speculate that the number of vulnerable devices reaches one billion. This only shows that the IoT security should be a priority for future manufacturers of smart devices.
Wired contacted manufacturers whose peripherals showed security vulnerabilities, but only a few of them answered.
Companies such as Gigabyte, HP and Amazon did not reply to Wired's request for an explanation. On the other hand, Logitech, Microsoft, Dell and Lenovo acknowledged the security weakness.
To show its dedication to its customers, Logitech crafted a firmware update for affected devices, thanks to Bastille's assistance. Dell seems also to be implementing the update from Logitech on some of its keyboards. Lenovo offers another solution: the company says it will replace all vulnerable devices at the clients' request.
Microsoft's statement notes only that the company "will proactively update impacted devices as soon as possible."
In 2015, Security Research Labs alerted that most of the USB-powered/connected devices can be switched to serve evil purposes. The security company even dubbed the safety vulnerability a name: "BadUSB."
The company says that there are little behavioral clues for spotting a BadUSB, and most of the clues come out after the computer's safety was already severely compromised.