Does a USB mouse have memory that could be used to store malware?

Question

I worry that this might get flagged as too broad, but here it goes:

Lately I've been thinking about the possibility of loading data on peripheral devices. One of the most used peripherals is the mouse. I realize that there are 101 ways to build a mouse. To refine my question into several, I ask these questions:

Is it possible to build a mouse without memory? If so, is it typically seen not have memory on a mouse?
Suppose the mouse did have memory (if this is not an realistic assumption, please point that out), is it typical to see ROM types of memory only? Can the memory be flashed like CMOS memory?
Has any one seen an computer attack/malware attack from the memory of a mouse?

I ask number three because what I've been thinking of lately is the generalization of the attacks performed by various advanced persistent threats.

As for 3, I can think of just hooking a USB flash memory with a virus inside the mouse, wiring it to the connector, and voila! — Eugene Sh., May 15 '15 at 17:38
For sure there are mice available with built-in flash memory. I happen to have an Oracle branded one with a 64MB (jay!) flash drive in it. But a generic mouse, not built for storage will likely have just an MCU in it, no dedicated external storage. The memory of the MCU would need to be flashed to be accessed from outside. — Phil B., May 15 '15 at 17:40
@EugeneSh. yeesh, just simply embed flash memory onto the board of a mouse. That is for the most part a non-obvious thing to do because it is out of sight and out of mind. Thanks for sharing. — StackExchangeUser0xff00, May 15 '15 at 17:41
Perhaps a better title for your question would be: "Does a USB mouse have memory that could be used to store malware?". I can edit it for you if you'd like. — Adam Haun, May 15 '15 at 17:42
@AdamHaun Yes, that would be a better title. Can you please edit that for me? Thanks — StackExchangeUser0xff00, May 15 '15 at 17:44
http://www.extremetech.com/extreme/191467-badusb-returns-hackers-publish-code-that-could-infect-millions-of-usb-devices — slebetman, May 15 '15 at 21:03
There's actually a proof of concept code to infect USB devices from your PC published on github: https://github.com/adamcaudill/Psychson — slebetman, May 15 '15 at 21:05
@DmitryGrigoryev: Not sure about mice but BadUSB has been demonstrated to infect keyboards. — slebetman, May 16 '15 at 02:12
No matter what normal mice contain, an attacker (with sufficient resources) can always just make a mouse that *does* contain what they need. — Cascabel, May 16 '15 at 16:03

score 12 · Answer 1 · answered May 15 '15 at 19:40

Many USB peripherals include flash-based microcontrollers. Although mask-ROM-based microcontrollers are cheaper, use of a flash-based microcontroller may enable a manufacturer to have one board which can go in a variety of OEM products, each of which reports the name under which it is sold. Some peripherals include firmware that allows them to be reprogrammed from the USB port; having them configured that way would allow a manufacturer to pre-program parts in a way suitable for its highest-volume customer and re-program them on demand for other customrs.

If a mouse happens to include a flash microcontroller, it may be possible for a malicious person to reprogram it to behave as a malware-infection device. Because most mice aren't likely to use particularly big microcontrollers, there may not be any room for malware if the mouse is required to be usable as a mouse. On the other hand, it might be possible for some malware to identify a vulnerable mouse and reprogram it in such a way that it would no longer work as a mouse, but would act as an agent of evil when plugged into a non-infected machine [on the theory that someone whose mouse stops working might test it on another computer].

It would in general not be difficult to design a USB peripheral in such a way that once final firmware was loaded it could not be reloaded from the USB port, but there is no general way to distinguish devices which are immune from reprogramming from devices which aren't. It would also be possible to design a "smart USB hub" with a display and some buttons which would, when a device was plugged in, indicate what the device is claiming to be, asking for confirmation before the computer could see the device, and restricting the device's communications to those that were approved for its type, but I don't know if any such smart-hub devices are available.

There are no such smart hubs, because you can block USB devices at OS level. No additional hardware needed. The problems begin when you want to replace your broken mouse or keyboard... — Turbo J, May 15 '15 at 20:39
@TurboJ: The point is that by then it's probably too late. Imagine a specially designed USB mouse that's actually a micro USB hub connected to the mouse hardware and a hidden thumbdrive inside the mouse (actually you don't have to imagine as proof-of-concept demos has already been shown to the public). The hidden thumb drive mounts and includes AUTOEXEC.BAT file which installs some software. Then you open the control panel and block it but the malware has already been installed. — slebetman, May 15 '15 at 20:57
A more sophisticated hack is the recent discovery that some USB controllers are hackable - their firmware are stored in flash rather than ROM. This form of attack completely bypasses the OS and installs malware on the USB chip soldered on your motherboard. — slebetman, May 15 '15 at 20:59
USB devices cannot bypass the OS, they always need a driver first and that step can be blocked (in Linux with udev script, win may need 3rd party software). PCIE devices can bypass the OS via DMA. — Turbo J, May 16 '15 at 02:03

score 9 · Answer 2 · edited May 23 '17 at 12:40

9

USB keyboards can be used to do interesting things on a PC/Mac. And you could combine an USB keyboard with a mouse into one HID, using a microcontroller for example.

Cheap USB mice should still use ASICs that are not reprogrammable IMHO, because masked ROM costs less than flash.

edited May 23 '17 at 12:40

Community

1

answered May 15 '15 at 19:07

Turbo J

9,969
1
20
28

score 4 · Answer 3 · answered May 15 '15 at 22:02

Yes, it is definitely possible to use mice (and USB devices in general) in cyber attacks.

Whatever type of memory cheap mice have, it's usually impossible to modify it via the USB interface, so the attacker will need to physically access the mouse which will be used for the attack. As a result, it is usually easier to make a custom device which mimics a mouse and has lots of memory (and perhaps some wireless transcievers) rather than reuse a real mouse which will have little memory, small processing power and no wireless interfaces.

There are devices which are much more suitable for such purposes. For example, most SD cards have quite powerful controllers and the firmware is usually upgradable, protected by a passcode of some sort. Such passcodes are widely known by the dev&testing teams and are not meant to be cryptographically secure. Often leetspeak phrases like DEADBEEF or 600DCOFFEE are used. And once you have control over an SD card, there is no extra effort to get sensitive data, all you have to do is filter it. Similarly, USB keyboards are natural candidates for password stealing. Convincing the computer to send a file or a password to the mouse is much more difficult.

score 2 · Answer 4 · answered May 15 '15 at 22:44

It's definitely possible with mice that store configuration data on their own hardware. Consider somewhat expensive gamer mice − they often come with a piece of software that lets you edit on-board configurations so you could switch them with a special button somewhere on the mouse. Some mice conveniently have auto-installing capability, like you see on mobile internet USB sticks. From then on it depends on security parameters of the target computer. If it has autorun enabled, a compromised mouse could install malicious software silently, and so on.

Does a USB mouse have memory that could be used to store malware?

4 Answers4