Think your computer or network can get a Trojan virus or malware only via a malicious website or an infected flash drive? Think again: even a mouse can get the job done, too.
A modified mouse —and almost any hardware device that can be plugged into a computer— can potentially infect a network, as shown in a recent hack by security firm Netragard.
"(We used) electronics which include a teensy microcontroller, a micro USB hub, a mini USB cable (we needed the ends) a micro flash drive (made from one of our Netragard USB Streamers), some home-grown malware (certainly not designed to be destructive), and a USB device like a mouse (or) whatever else someone might be tempted to plug in. When they do plug it in, they will be infected by our custom malware and we will use that point of infection to compromise the rest of the network," Netragard said in a blog post.
Netragard said the challenge had been to penetrate a network with a single IP address bound to a firewall that offered no services.
Other limitations included no use of social networks, telephone, email or physical access to the network to be penetrated.
For its project, Netgard used a fancy Logitech USB mouse fitted with a microcontroller and a tiny USB flash drive where the malware is stored.
But even without the flash drive, Netragard noted it "could still instruct the mouse to fetch the malware from a website."
Netragard also created custom malware for the antivirus software that the target computer is using.
"We wanted our malware to be able to connect back to (us) but we needed more than that. We needed our malware to be fully undetectable and to subvert the 'Do you want to allow this connection' dialogue box entirely. You can’t do that with encoding," it said.
Netragard then shipped the mouse to the target, making it look like a promotional gadget so the victim will use it.
"Sure enough, three days later the mouse called home," it said.
Public unaware of threat
Infoworld's Roger Grimes said that many are unaware that hardware, especially a mouse, can be used to deliver auto-launching exploit code.
"IT security admins must understand that a computer can be compromised by almost any hardware device plugged into it. Hardware is hardware —the instructions coded into it and its firmware takes precedence over software. When we talk trust boundaries in computer security, you always have to remember the hardware boundary must be discussed and defended," Grimes said.
"If I, as the attacker, can convince a victim to plug in some sort of hardware or if I plug it in myself, then it is, for all intense purposes, game over. If I can plug something into your USB, DMA, FireWire, and now mouse port, I'll likely succeed in carrying off a malicious action," he added.
Grimes said end-user education is always worth the effort.
"Let your end-users know that anything they plug into their computer could launch malicious code. That free USB key at the conference show? They shouldn't plug it in, nor should they attach free mice, free keyboards, or whatever if they are at elevated risk of physical attack," he said. — TJD, GMA News