TECHNOLOGY and COMMUNICATION

They broke in like it was nothing. They could have wiped my hard drive, stolen my files, or practically anything nefarious you can do with a computer.

Just watch:

All because I had a wireless mouse dongle plugged into my laptop. And all they needed was a simple antenna that costs as little as $15 at Amazon.

Thankfully, "they" were a pair of security researchers from a company called Bastille, and every company that builds wireless mice and keyboards has already been alerted to the issue. If you have a Logitech Unifying receiver, there's already a fix. (Here is a link to a patch provided to us by Logitech: RQR_012_005_00028.exe.)

But if not, you too might be vulnerable to this technique. They're calling it a "Mousejack."

What Bastille security researcher Marc Newlin discovered was this. If you can send out a wireless signal that pretends to be a wireless mouse, most wireless USB dongles will happily latch onto it -- no questions asked. Then, you can have that fake wireless mouse pretend to be a wireless keyboard -- and start controlling someone else's computer. 

A Logitech Unifying dongle, which can be updated to patch this vulnerability.

With a laptop and a cheap wireless USB antenna called a Crazyradio, Newlin found he could do that from up to 200 meters away. Of course, you can't easily see someone's laptop screen from that far out, but that doesn't mean the hack isn't dangerous. A sequence of keyboard shortcuts is enough to wipe a hard drive -- or open a browser, navigate to a website, download malware and install it on a computer.

Normally, wireless keyboards send encrypted signals, so hackers can't spoof them and take over your PC. But wireless mouse traffic isn't always encrypted, according to Chris Rouland, CTO and founder of Bastille, because peripheral manufacturers didn't think it was necessary. Many of the tiny USB dongles used to wirelessly connect mice and keyboards are always listening for a new mouse, and they'll transmit whatever Bastille's fake "mouse" tries to send.

Marc Newlin stands above a table full of vulnerable devices.

Bastille

Thankfully, the vulnerability doesn't affect Bluetooth devices, or USB wireless dongles that aren't actively in use. Even if you've got one of these dongles sticking out the side of your laptop, Newlin's antenna and program can't find it unless it can latch onto the wireless signal from your mouse.

Perhaps the worst part of the vulnerability is that many dongles can't be fixed. While Logitech Unifying devices have dongles that can be upgraded -- and Logitech tells us its other Nano dongles aren't affected -- Bastille says that others may be permanently vulnerable. Lenovo told Wired that it will replace vulnerable devices for any customer who asks, and we're trying to confirm. 

We haven't heard back from Dell yet, but the company told Forbes that though its KM714 keyboard and mouse will soon be updatable with the same Logitech patch, other devices may need to be swapped out. Microsoft tells us it will investigate the issue and "provide resolution as soon as possible." We also reached out to HP, Amazon and Gigabyte but have yet to receive a reply. 

The fact that Logitech Unifying dongles are upgradable could be a mixed blessing, because Rouland believes that hackers could also theoretically use them as transmitters. Hack one dongle, turn it into a transmitter to hack any others it sees. Suddenly, you've got a virus on your hands.

Here's the device that Newlin used to break into my laptop. It costs $12. All he had to do was hook it up to his laptop, write 15 lines of Python code, and wait for me to move my mouse. If you see someone using one of those at your local coffee shop -- or in your workplace -- be warned.

Sarah Tew for CNET