Tailless mice eating holes in corporate networks

Security experts have sounded a warning to users of a wireless desktop device that hackers could be reading every touch of their keyboard, including logins and passwords. However, no real life examples of this have ever been recorded, and some pretty smart technology is needed before it can happen.

The risk arises when Logitech's wireless mouse and keyboard, on start-up, try to synchronise with a receiver that records their movement, via a specific radio frequency.

During this synchronisation, the communication between devices can be jammed and terminated by a hacker with a computer and an exact copy of the same receiver.

This second receiver's range can only be extended to 30m with a larger antenna - so it wouldn't be that easy for the miscreant to hide themselves.

A user, after noticing that their connection has terminated, will attempt to log on again. It's at this point when the attacker can also connect, taking control of the victim's device in the process, allowing keystrokes, including passwords, to be read without the victim knowing.

Phil Huggins, a managing security architect with @stake, said the vulnerability was entirely possible, helped in part by the way in which many wireless products are rushed out with little regards to security.

Huggins said: "We're going to see more like it from the hacker community. Their interest always lies at the cutting edge of technology."

He added: "If you must use wireless devices in security sensitive areas, use infra-red that has a more limited range, offering less chances of vulnerabilities."

Eric Chien, chief researcher at Symantec, warned users to be aware of the increased risk of using wireless devices and encouraged users to adopt a method of encryption or signal modulation to make it more difficult for hackers to eavesdrop.

Chien said: "Those who need more security than functionality in this case should consider reverting to a corded device. "

He added that this security backdoor is a known issue for almost all wireless types of input devices, but that this instance requires electronics knowledge on the part of the hacker.

Gareth Hayes, European product manager for Logitech, said that the technique needs James Bond-like electronics knowledge and is highly unlikely in "real life" scenarios.

Hayes said: "Only a pro-spy would have that level of hacking ability. Our products aren't designed for heavy military style security, but aimed more at the everyday environment of office and home use."

A full transcript of the problem can be found at www.daten-treuhand.de/sicherheitsnews/logitech/bugtraq.htm