Skip to Content

How Hackable Is Your Wireless Keyboard and Mouse?

An Internet-of-things security startup says a flaw with some non-Bluetooth wireless keyboards and mouses makes it simple to hack into your computer.
February 23, 2016

Some of the computer dongles that come with wireless keyboards and mouses may offer hackers a fairly simple way to remotely access and take over your computer, according to a new report from Internet-of-things security startup Bastille.

Atlanta-based Bastille says it has determined that a number of non-Bluetooth wireless keyboards and mouses from seven companies—including Logitech, Dell, and Lenovo—have a design flaw that makes it easy for hackers from as far as about 90 meters away to pair with the dongle that these devices use to let you interact with your computer. A hacker could do things like control your computer or add malware to the machine.

The flaw points at yet another potential issue with the ever-growing number of connected devices, though it appears to work over a short range and still seems to be a hypothetical problem.

In tests, the company found around a dozen devices that were susceptible to the flaw, which it’s listing online. Most of them use a line of transceivers made by Nordic Semiconductor that do support 128-bit encryption, says Marc Newlin, a Bastille engineer who found the issue, but it’s up to the maker of the keyboards and mouses to apply it.

Bastille, which tracks malicious Internet-of-things activities by using sensors to track the electromagnetic signatures of Internet-connected devices, determined that while data transmitted by wireless keyboards tends to be encrypted, none of the mouses it tested encrypted their clicks. Also, while most of the keyboards the company tested do encrypt their data before sending it to the dongle, the dongles didn’t always require that the data be encrypted. Both of these things would make it possible for a hacker to fool the dongle on a victim’s computer into thinking that his remote clicks and keystrokes are legitimate.

Newlin says that since each wireless keyboard or mouse has a unique radio frequency address, a hacker would simply use an inexpensive USB dongle to sniff the data packets being transmitted between, say, a mouse and the dongle connected to its computer to figure out that address. Then the hacker could transmit keystroke packets to the dongle as if he were the rightful user of the computer.

Bastille founder and chief technology officer Chris Rouland says the startup let the companies know about the devices it found to be vulnerable, and they’ve mostly been “very attentive” to the problem. Some of the products can be made more secure with a simple software update to the dongle, but most of them can’t be patched, he says, so the dongles would have to be replaced.

In a statement, Logitech’s senior director of engineering, Asif Ahsan, said the company came up with a software update to fix the problem. However, the vulnerability Bastille detected “would be complex to replicate” since it requires being physically close to the victim, he said, which makes it “a difficult and unlikely path of attack.”

“To our knowledge, we have never been contacted by any consumer with such an issue,” he added.

A Dell spokeswoman, meanwhile, said that the software on one of its two affected keyboard and mouse products can be patched. Another will require customers to contact the company’s technical support to find a “suitable replacement.” 

And in a security advisory released Tuesday, Lenovo said the issue, which affects a wireless keyboard, will be fixed in new devices but that customers with an existing version of the device can reach out to Lenovo customer support for a replacement.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.