the USB dongles we plug into our computers so they can communicate with a wireless mouse or keyboard.
Many manufacturers equipped these dongles with a Nordic Semiconductor chip that can be modified to securely communicate with wireless accessories such as keyboards. But if a non-Bluetooth wireless device manufacturer installed no additional precautions in the chip, the dongle can become a gateway for hackers to take over the computer from some distance away. For example, if the dongle isn’t programmed to accept only the encrypted keystrokes from the user’s wireless keyboard, the attacker can wirelessly deliver unencrypted keystrokes that the dongle accepts just as though they had been typed by the computer’s legitimate user.
In the Bastille office, Seeber showed me how an entire packet of malicious code could be sent to the victim’s computer wirelessly within seconds.
With a radio frequency transmitting device and a small antenna, a hacker trying something like Mousejack might need to be within 30 feet of the target computer to succeed. But Seeber was able to extend that range to more than 700 feet by buying a bigger antenna—the knobby white stick he uses with his laptop as he roams around Second Street.
“That antenna was $70 on Amazon,” Seeber says. (The computer he Mousejacked was owned by Bastille, in case you wondered.)
I first met Seeber at RSA, the big annual cybersecurity conference, early this year in San Francisco. There, he and some other security researchers gleefully showed how easily they could interfere with radio frequency signals to remotely unlock electronic door locks, jam home alarm signals, and peer through the cameras in Web-connected devices, among other feats.
The addition of microphones to some of these devices—-such as talking dolls and TVs that respond to voice commands—introduces threats to consumer privacy as well as security, Bastille has warned. One smart TV manufacturer said it might use the monitor’s voice command microphone to capture family conversations and send them out to voice-to-text transcription services, a Bastille blogpost reported.
Seeber says his unit at Bastille is still uncovering the low-hanging fruit of security vulnerabilities among wirelessly connected devices, because many manufacturers haven’t caught on to the need to build in protective measures against the capture of airborne signals. And consumers of IoT devices aren’t awake to the dangers either, he says.
“Consumers are just grabbing everything they can because it’s new and cool,” Seeber says.
I wondered if Seeber, who is so aware of the security vulnerabilities of all the connected gizmos we’re bringing into our homes and offices, keeps his own environment relatively free of these devices. He says no.
“One way or the other, we will end up leaking information,” Seeber says. “That’s the price we pay for these modern conveniences.”
But then, he’s a security expert. He has skills that would be arcane for most people, like changing the default settings on a connected kitchen appliance.
How can ordinary consumers surrounded by wireless devices protect themselves? I asked him.
“If you want to be sure about anything, unplug it,” Seeber says.
