Unexpected Betrayal From Your Right Hand Mouse

Some people really enjoy the kind of computer mouse that would not be entirely out of place in a F-16 cockpit. The kind of mouse that can launch a browser with the gentle shifting of one of its thirty-eight buttons ever so slightly to the left and open their garage door with a shifting to the right of that same button. However, can this power be used for evil, and not just frustrating guest users of their computer?

We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.

The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available. [Stefan Keisse] discovered that the 100 command limit on the macros for each button are more than enough to get a full reverse shell on the target computer.

Considering how frustratingly easy it can be to accidentally press an auxiliary button on these mice, all an attacker would need to do is wait after delivering the sabotaged mouse. Video of the exploit after the break.

38 thoughts on “Unexpected Betrayal From Your Right Hand Mouse

    1. Nathanael Dale Ries: Wont help if the mouse is set to imitiate or fake the real mouse. I think its better to first, restrict via firewall so only for example HTTP/HTTPS is able to reach out (and HTTPS can be proxied with a proxy that can do decryption via a custom CA that has to be installed on all computers)

      Another thing is to restrict computers that store sensitive things physically, so such computers both are locked in and possibly have hard-wired pheripials, and possible with tamper-sensors and such.

      Thus it does not matter if a “regular” computer gets a reverse shell, since the sensitive things are locked in.

      1. Deliberately creating a MITM attack on your own network and obliterating with it the entire secure trust model of SSL is the exact opposite of security.

        Although I’m at a loss as to what that has to do with fouling attacks using macros stored in hardware EEPROMs?

        1. The idea is that you restrict what communication can occur out and in, and thus reduce the possibility to run a “reverse shell”.
          If the system restricts all communication to a few well defined protocols, opening a reverse shell will require some sort of software installation on the target machine, which also can be detected or prevented, and be hard to execute from a stored macro inside a mouse or keyboard.

          No, it wont be opposite of security to create a network-local “MITM”. The reason is that you just redefine the trust border. Instead of bordering each specific client into a trusted state, you border the whole network into a trusted state. Of course, this means that anyone inside the trust border are able to compromise the trust process, but this on the other hand creates security because you have central control of whats entering and exiting your network. Thats also why its important to define this trust border well, eg, the trust border should not terminate outside your premises, but rather just inside.

          A good thing with redefining the trust border is also that you are able to enforce policies centrally, for example preventing clickthrough to HTTPS warnings by simply letting the proxy display a block page for such things, you can prevent communication with certain blacklisted hosts, you can scan the content after sensitive data exiting (for example credit card numbers, passwords etc) and malicious data entering (for example viruses), and you can also enforce Cookie, HSTS, HPKP policies centrally. And a lot more, you can also block submission of certain types of forms, and also block certain content and HTML tags.

          1. Just from your single post one can predict quite a lot of software that is already present on your system. So after that they just need to pick the right stuff and set it up for them to abuse.

        2. This is pretty much how internet access at any respectable large enterprise works. Blue Coat Systems is just one supplier that gets you the hardware needed for that. And yes, it is essentially a MITM attack. But if you can’t trust the company you’re working for, then you’re working for the wrong company anyways.

  1. I have a logitech mouse with an extra button on the left side. I just got fed up with it and RIPPED that sucker outa there using a screwdriver. There was some satisfaction in that, but the button lever snapped off in a way that was not ideal and I still had to remove screws and do a more careful button-ectomy. Now there is a hole in the side of the mouse, but it is way better than that silly button getting inadvertently activated. Does this qualify as a hack?

      1. I know how that goes. Every software update will undo the customization and/or change the way the customization needs to be specified. Besides that, I let my emotions run away. I can’t say that I’m sorry.

        Why would anyone want a mouse with more than 3 buttons? Jobs may have had the right idea with the one button mouse, but you can take anything too far. 38 buttons though — one false twitch and you have reformatted your hard drive.

        1. Ive used AutoHotKey to disable mouse buttons before. Elderly folks often lack motor control, and my grandfather was clicking both mouse buttons at once. I disabled the right mouse button with AHK and mapped it instead to Numpad+, which was never otherwise used. It helped him keep using his computer in his advanced years until he passed away.

        2. I’ve got copy and paste mapped to two of the additional buttons. Now i can drink my coffee with the left hand, while copypasting commands with my right one. And even when i’m not drinking coffee, it’s still faster and requires less movement to hit the buttons on which i rest my thumb anyways than moving the left hand to Ctrl+C/V

        3. > Why would anyone want a mouse with more than 3 buttons?

          All of the mice I use are 5 button mice. They have 2 thumb buttons that can be programmed to whatever. I have them set to Show Desktop and Alt+Tab so that I don’t have to put my coffee down to get around my desktop quickly.

          They also work well for gaming.

    1. I can’t stand mice with less than 5 buttons.

      Incidentally, did you know it took a long time for people to be comfortable with using the word ‘mice’ as plural for a computer mouse?

  2. I call bullcrap on this. Logitech has used software macros in the driver for a while now, this “hack” will only work on a windows computer with the software installed. The mouse is dumb.

      1. I have a Logitech G502 and it certainly CAN store macros without the software. I’m using it on a daily base on Linux and I used my Windows VM to program the macro keys and they work on Linux perfectly fine (even 3 profiles with pretty long macros on each one).

  3. I have a KeyPro FK9000 which has 12 PF (Programmable Function) keys on its left end. It has a battery which charges by tapping power from the keyboard port and the PF keys are programmable using just the keyboard. If only its built in calculator (a switch toggles the number pad to calculator) could feed the numbers from its display to the computer.

    Would be much handier than launching a calculator on the computer, where it’s always getting buried behind other windows.

  4. I would say that someone can use an identical mouse, create some custom macros,and upload those to the memory on the mouse.
    They can then replace the victim’s mouse with modified one — in theory if the logitech software is
    running (and believe me it ill be with the 38 buttons being useless otherwise they would have a standard three button mouse) —
    the modified profile will be uploaded from the mouse the computer.

    When the victim pressed whatever button it would execute the new macro (and do who knows what).

    This seems to be more of a prank.

    I am pretty sure that the uploading/downloading or profiles to/from the device can be disabled in the logitech software, thus,
    preventing this type of thing (if not hide your mouse, if magically is connected on day — it’s been modified).

  5. Needing the logitech software in there means you already have admin rights….so idk if this is a hack, or a convinient way of excecuting a bat file. Could also open a browser, download said batch file from pastebin, and run it.

    1. Unless your friends or relatives come over for whatever reason, who do not have a cell phone/laptop/or tablet, etc — and their only option is the computer that is available to them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s