1

In our meeting rooms we have at our disposal the necessary material for presentations. HDMI, and mouse etc., lock down to the table (3 digit lock).

All the mouse have been removed for security reason, in fear of a modified mouse with keylogger, cryptovirus or other malware.

Without the consideration of social engeneering to enter the meeting rooms, is an USB mouse a real risk and vector?

Context:
One of the mouse have been replace by an other brand mouse. But it's definitivly not a mouse brought by the company. No mouse of that brand no computer of that brand were ever brought. The mouse have been inspected and look like it was not modify visible component are the same with the same mouse brought for comparaison. A real keylogger here will in capture a ton of domain password.

xdtTransform
  • 111
  • 3
  • You could replace USB mouse with any USB device. The outward appearance does not mean anything to the computer you're plugging into. – domen Feb 04 '19 at 10:37
  • @domen, Yes any one with access to our metting sofware will be able to see went it's occupied. Then you just need ~10min to guess the NumLock combinaison. Go under the table with a laptop charger an pretend to be pluging it in if someone enter the room. You can even plug the same model mouse. The different brand mouse triggered the IT "remove all the mouse from meeting". So the question is not about this particular mouse but mouse in general. We all have mouse and those are not secure with a lock just by the cable mess. Are mouse a real danger? – xdtTransform Feb 04 '19 at 10:45
  • I mean ... in the text above, you could replace the word "mouse", since any malicious USB device could be packaged in that physical form. There's nothing intrinsic about the mouse shape, it's just a USB device that send descriptors to tell the PC it's a mouse. – domen Feb 04 '19 at 10:54
  • Also consider if other attacks and threats are in scope. It could just be a plain USB mouse with added microphone and transmitter (USB just for power, not attack). – domen Feb 04 '19 at 16:14
  • The question is hard to read because of all the have-beens: "have been remove", "have been replaced", "were ever bought". "have been inspected" ... I think some of these act were done by you (or the company's IT function) and some of them were done by unknown parties, perhaps adversaries -- it would help a lot if you edit your question to identify the actor in each of those sentences. – hmakholm left over Monica Feb 05 '19 at 19:01

1 Answers1

2

These are just some of the possible USB attack vectors: 29 Different types of USB attacks.

A mouse alone is unlikely to be an attack vector. A mouse logger is redundant with screen capture. However, as @domen hinted in the comment, there's really nothing special about the mouse-shaped device that will force the device to be recognised as a mouse. A mouse shaped device can identify itself as anything, including as a daisy chained device for which one of the connected device is a mouse, but also provides another, more malicious service.

With that said, hardware based attacks like USB attacks, while not unheard of, are fairly uncommon. In practice, there just aren't that many known instances of such attacks, unless you work for the NSA or a company with known regular history of corporate espionage, the chances to most people of being targeted by these kind of attacks are fairly slim.

Lie Ryan
  • 31,459
  • 6
  • 70
  • 94
  • 1
    The red team at my employer has absolutely used USB attacks (usually "rubber duckies" rather than something directly destructive, because they're trying to gain access). Companies are a big pile of money, secret information, intellectual property, and trusted names; they are tempting targets at any size. I think you severely underestimate how many people would like to get into any particular company and be willing to buy and drop some innocent-looking USB devices around. – CBHacking Feb 04 '19 at 12:54
  • @CBHacking For Red teams and security drills, yes, I don't disagree it's a common exploit, but for actual attacks? Yes, occasionally we hear one or two cases, I had not seen evidence that it's common/widespread (I'd love to be proven wrong), especially considering that there are often much easier, more reliable, and less risky attack vectors. – Lie Ryan Feb 04 '19 at 14:40