"Mousejack" a wired (non-wireless) mouse

Question

Is it possible a wired mouse can be a malicious device? For example, could a keylogger be installed within a wired mouse that captures keystrokes and sends these to an external server via the internet connection of the computer it is connected to?

I recently ditched my wireless mouse for a wired one after learning about the "mousejacking" risk. But why should we have more trust in a wired mouse (or any USB device for that matter)? The mouse I bought was not in a sealed packet, so theoretically it could have been intercepted at any point along the supply chain and had some malicious hardware device installed within it.

My question relates specifically to the security of USB devices - if a wireless mouse USB dongle can also accept keystrokes, can a wired mouse also contain a device that masquerades as a keyboard and sends malicious keystrokes/commands?

The OS I use is Linux, so I am interested whether Linux is more secure in that respect (for example, not accepting keystrokes from a mouse). But I think the answer to this question would be useful for users of other OSes too.

Answer 1

There's actually an attack documented which fits pretty good to your description. The original post was deleted but you can read it for example here.

Short version: They (Netragard) managed to break into a corporate network in a penetration test by using a manipulated mouse which was sent to an employee as a faked lottery price. The USB connection was intercepted inside the mouse with a tiny USB hub where a rubber ducky or a similar device was connected.

This schema is called trojan devices. There's also a Blackhat talk about this topic.

The OS I use is Linux, so I am interested whether Linux is more secure in that respect.

AFAIK there are no pre-configured defenses against this but you could harden your system by creating a whitelist of devices which are allowed on specific ports. (udev rules to the rescue!) When you have only one port whitelisted for accepting a simple keyboard without USB hub or re-programmable firmware you're pretty safe against any manipulated devices which are trying use trojan device techniques to emulate user input. Alternatively you could get rid of USB keyboards in your whitelist entirely by using the PS2 port instead.

I'm not aware of any build-in defenses in other operating systems. However there's some software around for windows which does a similar job like you can do with udev on Linux.

Answer 2

Interesting research. It's focused on wireless transmissions.

Generally, a wired mouse/KB could be safer because you will need to clip a "listening" component onto your wire, unless your mouse has been tampered with in the first place. Every electronic device emits certain amount of EM waves so it depends how far these waves can be detected outside of the device that can be "tapped".

It doesn't matter what OS is in question, because an attacker basically takes control of your computer to download malware for long term exploits.

Answer 3

The OS is completely irrelevant to your question. If the mouse is subject to an attack or hack, it may fool whatever operating system is installed.

A wired mouse can not be affected remotely as is the case with a wireless mouse since it does not communicate wirelessly. Someone who would have access to make changes to your mouse would already have access to do much more on your computer, whatever the approach they took to gain access.