Six months of design iterations, sourcing headaches, and a broken oscilloscope later — I am pleased to share a hardware module I designed to extend the Flipper ecosystem for RF security research. This write-up covers the motivation, engineering challenges, capabilities, and responsible-disclosure principles behind the project — and a frank look at a vulnerability that is very much alive in the Maldives today. Left: 3D render of final PCB · Right: Altium Designer PCB layout view Why I Built It The trigger was reading the original MouseJack disclosure by Bastille Networks. It made me realize that a class of peripherals most people assume to be harmless — the cheap wireless mouse on your desk — can be weaponized from a car park. I wanted a research platform small enough to carry in a jacket pocket, native to the Flipper Zero ecosystem, and capable of passive scanning, protocol analysis, and controlled lab tests. What I...
Six months of design iterations, sourcing
headaches, and a broken oscilloscope later — I am pleased to share a hardware
module I designed to extend the Flipper ecosystem for RF security research.
This write-up covers the motivation, engineering challenges, capabilities, and
responsible-disclosure principles behind the project — and a frank look at a
vulnerability that is very much alive in the Maldives today.
|
|
Left: 3D render of final PCB · Right: Altium Designer PCB layout view
Why I Built It
The trigger was reading the original MouseJack
disclosure by Bastille Networks. It made me realize that a class of peripherals
most people assume to be harmless — the cheap wireless mouse on your desk — can
be weaponized from a car park. I wanted a research platform small enough to
carry in a jacket pocket, native to the Flipper Zero ecosystem, and capable of
passive scanning, protocol analysis, and controlled lab tests. What I did not
want was to rediscover a ten-year-old bug; I wanted to understand it deeply
enough to help organizations here in the Maldives understand the exposure
sitting on their own desks.
MouseJack — The Vulnerability Behind This Project
Origins & Discovery
In February 2016, Marc Newlin of Bastille Networks’ Threat
Research Team announced MouseJack — a family of nine
distinct vulnerabilities catalogued under Bastille tracking numbers
#1–7, #9, and #12. The team comprised RF and cybersecurity specialists
including the top four finalists of the DARPA
Spectrum Challenge, lending the research considerable credibility.
The findings were registered with US-CERT /
CERT-CC at Carnegie Mellon University, which issued a formal
advisory.
The Technical Root Cause
Wireless mice and keyboards in the 2.4 GHz
ISM band communicate with a USB dongle plugged into the host computer. These
proprietary protocols — built on Nordic Semiconductor’s nRF24 series transceivers — were designed for
convenience, not adversarial environments. The critical flaw is a complete absence of authentication between peripheral and
dongle. Because the dongle cannot distinguish legitimate mouse
packets from attacker-crafted ones, it accepts both and forwards them to the OS
as genuine input. Crucially, while most keyboards encrypt their traffic, the
underlying dongles often accept unencrypted packets anyway — meaning an
attacker doesn’t need to break encryption at all.
The Five Attack Vectors
|
Attack Vector |
Mechanism |
Impact |
|
Mouse Spoofing |
Dongle does not verify
packet type matches the transmitting device. Attacker pretends to be a mouse
but sends keypress packets instead of movement data. |
Inject arbitrary keystrokes
as if the user typed them. |
|
Keyboard Spoofing |
Many dongles do not enforce
encryption even when the keyboard uses it. Attacker transmits raw unencrypted
keyboard packets directly. |
Full keystroke injection —
open CMD, download malware, exfiltrate data. |
|
Forced Pairing |
Some dongles allow new
peripherals to pair without user interaction. Attacker introduces a rogue
keyboard which the dongle accepts. |
Permanent foothold —
attacker’s device becomes a trusted peripheral. |
|
Denial of Service |
The 2.4 GHz channel is
flooded with radio traffic (Bastille tracking #8). |
Peripheral becomes
unresponsive; disruption without code execution. |
|
KeySniffer (related) |
Keyboards transmitting
keystrokes unencrypted allow passive eavesdropping from up to 75 m away. |
Credential theft, password
capture, IP loss — silently and invisibly. |
Range, Cost & Stealth
|
Attack Range |
Up to 100 metres (line of
sight), proven effective through walls and windows. |
|
Hardware Cost |
As little as $15 — a
standard USB radio dongle or CrazyRadio PA, widely available. |
|
AV Evasion |
Presents as a keyboard.
Completely invisible to antivirus, IDS, and firewalls. |
|
OS Coverage |
Windows, macOS, and Linux —
all equally vulnerable via the dongle firmware. |
|
Real-time Detection |
No practical mechanism for
end-users to detect an active attack. |
Confirmed Affected Brands
Bastille’s team tested devices from seven
major manufacturers. They explicitly noted they could not test every model —
unbranded generic devices were not tested but share identical chipsets.
|
Brand |
Finding & Response |
|
Logitech |
Unifying receiver confirmed
vulnerable. Firmware patch issued, but many shipped devices remain unpatched.
The popular M185 continued to show vulnerability post-patch. |
|
Microsoft |
Multiple wireless desktop
sets affected. Windows Update advisory 3152550 partially mitigated mouse
spoofing but did not fix keyboards; the Sculpt Ergonomic Mouse remained
injectable. |
|
Dell |
KM714 confirmed vulnerable.
Dell directed customers to Logitech’s patch as the underlying dongle shares
the same lineage. |
|
HP & Lenovo |
Both confirmed affected.
Lenovo issued an update for the 500 series but noted it could only be applied
at manufacture — existing field devices cannot be patched. |
|
Amazon / Gigabyte |
Confirmed affected. Neither
vendor offered a firmware fix; replacement is the only option. |
|
Unbranded & Generic |
Not tested by Bastille.
However, these products overwhelmingly use identical nRF24-family chipsets
and almost certainly carry the same or worse vulnerabilities with zero
prospect of a patch. |
Why the Vulnerability Persists in 2025
Despite being disclosed nearly a decade
ago, MouseJack remains exploitable at scale. Many dongles were never designed
to accept firmware updates — the flaw is baked into silicon. Even where patches
exist, peripheral firmware updates are virtually never applied by end users.
And the global supply chain continues to ship affected chipsets in new
hardware, meaning brand-new devices purchased today may carry the exact same
flaw from 2016.
|
⚠ Still Relevant in 2025: A 2022 survey of
100 organizations found that 28% had at least one MouseJack-vulnerable device
actively in use — six years after public disclosure. The attack remains a
fully viable red-team vector. (Source: CEUR-WS security survey, 2022.) |
The Maldives Market — A Local Blind Spot
The Maldives has a small but fast-growing
IT retail sector, with dozens of local suppliers and resellers operating in
Malé and across the atolls. The overwhelming majority of wireless peripherals
available on the local market are budget, unbranded, or generic-OEM products
sourced from Chinese manufacturers — products that were never in Bastille’s
original testing pool and almost certainly carry nRF24-family chipsets with no
encryption and no authentication on the dongle link.
I have
personally tested several models available from local IT suppliers
here in the Maldives. The findings are consistent with what Bastille documented
in 2016: unencrypted mouse packets, no dongle-side authentication, and in some
cases zero pairing enforcement — meaning any nearby attacker can inject
keystrokes without ever having been paired to the device.
|
Observation |
Detail |
|
Product Type |
Budget 2.4 GHz wireless mice
and keyboards sold openly by local IT retailers in Malé and across the
atolls. |
|
Chipset |
nRF24L-family transceivers
or near-identical clones — the same silicon at the center of Bastille’s 2016
findings. |
|
Encryption |
None observed on mouse
packets in personally tested samples. Fully consistent with the MouseJack
vulnerability profile. |
|
Pairing Auth |
Absent or trivially
bypassable on all tested devices. The dongle accepted injected packets
without any prior pairing. |
|
Firmware Updates |
No update mechanism exists
on any tested device. These products are permanently and irreversibly
vulnerable. |
|
At-Risk Environments |
Government offices, bank
branches, resort back-offices, and SMEs across the Maldives actively use
these peripherals. |
|
User Awareness |
Near zero. MouseJack is
unknown to virtually all end users and most local IT administrators. |
|
💡 Realistic Scenario: An attacker in the
lobby of a government ministry, a bank, or a busy café in Malé — armed with a
$15 USB radio dongle and the open-source Jackit tool — could silently inject
keystrokes into any nearby unprotected wireless peripheral, open a command
prompt, download a payload, or exfiltrate documents, all without touching the
target computer, triggering antivirus, or leaving the 100-metre attack range
that covers most Maldivian commercial buildings. |
Can EDR, XDR, or MDR Stop a MouseJack Attack?
This is one of the most important — and
most misunderstood — questions in the context of this vulnerability. The short
answer is: not at the point of entry,
but potentially at the point of consequence. Understanding exactly where each
layer of defense sits, and where it is blind, is critical for any organization
assessing their real exposure.
Why the Initial Attack Bypasses All Three
MouseJack operates entirely at the radio frequency and USB HID layer — below the
operating system, below the kernel, and therefore below every EDR, XDR, and MDR
sensor. The USB dongle receives injected keystrokes over the air and presents
them to the OS as legitimate human input. The OS has no mechanism to
distinguish a genuine keypress from an injected one — and neither does any
security agent sitting on top of it. Keystroke injection cannot be detected
at entry because the keyboard is always treated as a trusted device, and
EDR, XDR, and MDR agents inherit exactly the same blind spot.
Attack Phase Visibility Map
|
Attack Phase |
What Happens |
EDR / XDR / MDR Visibility |
|
RF Injection (Entry Point) |
Attacker transmits crafted
radio packets to the USB dongle from up to 100 m away. No process, file, or
network connection is created. |
None. This occurs at the RF
hardware layer, entirely below any software sensor. |
|
HID Trust (OS Acceptance) |
Dongle passes injected
keystrokes to the OS as legitimate HID input. The OS treats them identically
to keystrokes from a real keyboard. |
None. The OS itself cannot
distinguish injected from genuine input at this stage. |
|
Command Execution
(Post-Entry) |
Injected keystrokes open a
terminal, run PowerShell, download a payload — just as a human would type. |
Partial. EDR/XDR/MDR may
flag unusual PowerShell invocations, unexpected child processes, or anomalous
command-line arguments. |
|
Payload Execution &
Persistence |
Downloaded malware runs,
establishes persistence, or moves laterally via harvested credentials. |
Yes — this is where
EDR/XDR/MDR operates effectively. Malware behavior, lateral movement, C2
beaconing, and registry changes are all detectable. |
What EDR Can Detect — Downstream Consequences
Although EDR cannot see the radio injection
itself, a well-tuned agent monitoring process behavior will often catch the
consequences:
|
Detection Opportunity |
How EDR Catches It |
|
Abnormal PowerShell
Execution |
Injected payloads frequently
invoke PowerShell with encoded commands, execution policy bypasses, or IEX
download-and-run patterns — all flagged by EDR behavioral analytics. |
|
Unusual Process Chains |
A command prompt or
PowerShell window spawning with no user-initiated parent process is a strong
anomaly that engines like Microsoft Defender for Endpoint and CrowdStrike
Falcon detect. |
|
Unexpected Network
Connections |
If injected commands
download a secondary payload, the outbound connection to an unknown IP will
be logged by EDR and XDR network telemetry, often triggering automated
endpoint isolation. |
|
Superhuman Typing Speed |
Some advanced agents monitor
HID input rates. Keystroke injection runs at machine speed, far beyond any
human typist. Agents capable of USB HID monitoring can flag this, though
capability is not universal. |
|
Registry & File System
Changes |
Persistence mechanisms —
registry run keys, scheduled tasks, dropped executables — are standard EDR
detection territory and are reliably caught. |
What XDR Adds
XDR extends EDR by correlating signals
across endpoint, network, email, identity, and cloud into a unified incident
view. For a MouseJack attack progressing to lateral movement, XDR stitches
together the anomalous process, the outbound network beacon, the credential
reuse on a second machine, and the unusual cloud login into one correlated
incident. Platforms such as Palo Alto Cortex XDR,
Microsoft Sentinel with Defender XDR,
and Sophos XDR are designed for
exactly this. However, they remain blind to the
RF injection event itself — only its downstream trail is visible to
them.
What MDR Adds
Managed Detection and Response puts human
analysts behind the tooling around the clock. The key advantage is contextual threat hunting: an MDR analyst who
sees an anomalous PowerShell process with no obvious parent can actively
investigate — checking whether the machine has an unrecognized USB HID device
registered, whether the process timing coincides with a physical access window,
and whether similar patterns appear on nearby machines. This goes beyond
automated detection and can surface a MouseJack compromise that a pure EDR
deployment might log but not escalate.
Verdict: Where Each Tool Stands
|
Layer |
Tool |
Assessment |
|
RF Injection |
AV / EDR / XDR / MDR |
No detection. The attack
occurs below all software-based security layers. The only defense is
hardware: remove the vulnerable peripheral. |
|
HID Input Trust |
OS / EDR |
No detection at entry. Some
advanced agents can flag inhuman HID input rates, but this is not a standard
or reliable control. |
|
Command Execution |
EDR |
Partial — detects suspicious
PowerShell, abnormal process chains, and unexpected network calls. Does not
prevent entry but can interrupt an attack in progress. |
|
Lateral Movement &
Persistence |
EDR / XDR / MDR |
Good coverage. Malware behavior,
credential abuse, and C2 activity are reliably detected and can trigger
automated containment. |
|
Incident Correlation |
XDR / MDR |
Strong. XDR correlates
cross-source signals into coherent incidents. MDR adds human analysis and
proactive hunting. |
|
🔒 The Bottom Line: EDR, XDR, and MDR are
valuable and can catch the downstream consequences of a MouseJack attack —
but none of them can see the radio frequency injection that starts it. The
only way to close the entry point entirely is to remove the vulnerable
hardware. Think of EDR/XDR/MDR as your burglar alarm: essential once someone
is inside, but no substitute for a lock on the door. |
The Module — Design & Engineering
This is a Flipper Zero-compatible board centered
on the NRF24L01 transceiver, featuring an SMA antenna connector, RF matching
components, and the power decoupling necessary for stable radio operation. It
plugs directly into the Flipper’s GPIO expansion header and runs community
firmware enabling RF scanning and protocol analysis across the 2.4 GHz band.
|
Transceiver |
NRF24L01+ |
|
Antenna |
External SMA connector |
|
Frequency Band |
2.4 GHz ISM |
|
Host Interface |
SPI via Flipper Zero GPIO
expansion header |
|
Power Regulation |
On-board LDO with transient
suppression for stable TX bursts |
|
PCB |
Custom 2-layer,
Flipper-compatible form factor |
Engineering Challenges
RF Front End
& Antenna Tuning The 2.4
GHz band is acutely sensitive to PCB layout and component matching. Small
changes to L/C values and trace geometry produced measurable differences in
sensitivity and output power; iterative tuning with a spectrum analyzer was
essential.
Component
Sourcing Acquiring small
quantities of SMD components proved a genuine bottleneck. Minimum order
quantities and long lead times from distributors added weeks to the timeline.
Debugging
Without Instruments The
oscilloscope failed mid-development and had to be repaired before work could
meaningfully continue. Once restored, it dramatically reduced guesswork and
accelerated the debugging cycle.
PCB
Constraints The tight board
area demanded careful RF trace routing, thorough ground stitching, and targeted
bypass capacitor placement to maintain radio stability under real-world
operating conditions.
Power
Integrity An on-board LDO and
robust transient suppression were added to ensure the device remains stable
during transmit bursts, where instantaneous current demand spikes sharply.
Responsible Disclosure & Ethics
This project is research-first. No
step-by-step exploit instructions are published. The goal is awareness —
particularly in a local market where these risks are almost entirely unknown.
•
Test only on devices you own or
with explicit, informed consent.
•
Privately report critical findings
to vendors and allow reasonable time for remediation.
•
Publish high-level trends and
mitigations to improve awareness and encourage vendor fixes.
Recommendations — Especially for the Maldives
Government & Enterprises
Audit all wireless peripherals against the
Bastille affected-device list. Replace unbranded 2.4 GHz dongles with Bluetooth
or wired alternatives in any environment handling sensitive data.
Banks & Financial Institutions
The combination of high-value targets and
cheap office peripherals is a serious risk. Procurement policy should
explicitly prohibit unverified non-Bluetooth wireless input devices.
Local IT Suppliers
Consider stocking and actively promoting
Bluetooth-based peripherals as a security-conscious alternative. Even a brief
note at point of sale about this class of risk would make a real difference.
End Users
If you use a cheap 2.4 GHz wireless mouse
or keyboard at work or at home, you are very likely vulnerable. Switching to
Bluetooth or wired peripherals eliminates this attack surface entirely.
Comments