ASSEMBLY CONCURRENT RESOLUTION No. 187
STATE OF NEW JERSEY
217th LEGISLATURE
INTRODUCED JUNE 2, 2016
Sponsored by:
Assemblywoman ANNETTE QUIJANO
District 20 (Union)
SYNOPSIS
Encourages encryption of wireless communication devices and modification of existing devices susceptible to attack by "mousejack," and encourages consumers to use encrypted wireless communication devices.
CURRENT VERSION OF TEXT
As introduced.
A Concurrent Resolutionencouraging vendors to encrypt all wireless communication devices and to address the security concerns of existing devices susceptible to attack by "mousejack," and encouraging consumers to use encrypted wireless communication devices.
Whereas, Wireless mice and keyboards are the most common wireless communication devices for computers; and
Whereas, Wireless mice and keyboards communicate with a computer by sending wireless radio signals to its paired USB dongle plugged into a computer; and
Whereas, Each time the mouse is clicked or a key is pressed, information describing this is sent to the wireless dongle which listens for wireless frequency packets; and
Whereas, "Mousejack" is the term coined for exploiting the weak security of poorly implemented communication protocols between a non-bluetooth wireless dongle and its paired wireless mouse or keyboard that communicates with the dongle via radio frequencies; and
Whereas, Vendors of wireless mice generally do not encrypt the data between the mouse and the dongle which makes the mouse vulnerable to hacking; and
Whereas, Most vendors of wireless keyboards encrypt data before transmitting it to the dongle, however not all dongles require data to be encrypted, allowing a hacker to transmit unencrypted keyboard packets directly to the dongle; and
Whereas, The dongle may be unable to distinguish between data transmitted by the wireless mouse or keyboard and those transmitted by a hacker; and
Whereas, A hacker can take control of the victim's computer from up to 100 meters away; and
Whereas, Once a computer is infiltrated, a hacker has the ability to insert malware, remotely download documents, emails, delete programs, and obtain credit card information and passwords which can result in identity theft; and
Whereas, When a personal laptop connects to a corporate network the malware will replicate onto all the company's computers to extract sensitive documents, user credentials, and to obtain the business's financial data; and
Whereas, Vendors of wireless communication devices should implement better security and confidentiality communication protocols to protect against the unauthorized access to or use of personal information that may result in substantial harm to a consumer, public, or private institutions; and
Whereas, Vendors should encrypt all wireless mice, keyboards, and dongles and make a full faith effort to address the existing security concerns of their unencrypted devices; and
Whereas, Some vendors can issue a firmware update to fix the security concerns, however most mice and dongles were not designed for updates; and
Whereas, Consumers of unencrypted wireless communication devices should check with their manufacturer for firmware updates or replace their unencrypted wireless communication devices immediately; now, therefore,
Be It Resolved by the General Assembly of the State of New Jersey (the Senate concurring):
1. This House encourages vendors to encrypt all wireless communication devices and to address security concerns of existing devices susceptible to attack by "mousejack," and encourages consumers to use encrypted wireless communication devices.
2. Copies of this resolution, as filed with the Secretary of State, shall be transmitted by the Clerk of the General Assembly to the Governor of New Jersey, the Lieutenant Governor of New Jersey, the Chairwoman of the Federal Trade Commission, and every member of Congress from New Jersey.
STATEMENT
This resolution encourages vendors to encrypt all wireless communication devices and to address the security concerns of existing devices susceptible to attack by "mousejack," and encourages consumers to use encrypted wireless communication devices.
Wireless mice and keyboards are the most common wireless communication devices for computers. Wireless mice and keyboards communicate with a computer by sending wireless radio signals to its paired USB dongle plugged into a computer. Each time the mouse is clicked or a key is pressed, information describing this is sent to the wireless dongle which listens for wireless frequency packets.
"Mousejack" is the term coined for exploiting the weak security of poorly implemented communication protocols between a non-bluetooth wireless dongle and its paired wireless mouse or keyboard that communicates with the dongle via radio frequencies. Vendors of wireless mice generally do not encrypt the data between the mouse and the dongle which makes the mouse vulnerable to hacking. However, vendors of wireless keyboards encrypt data before transmitting it to the dongle, but not all dongles require data to be encrypted, allowing a hacker to transmit unencrypted keyboard packets directly to the dongle. The dongle may be unable to distinguish between data transmitted by the wireless mouse or keyboard and those transmitted by a hacker.
A hacker can take control of the victim's computer from up to 100 meters away. Once a computer is infiltrated, a hacker has the ability to insert malware, remotely download documents, emails, delete programs, and obtain credit card information and passwords which can result in identity theft.When a personal laptop connects to a corporate network the malware will replicate onto all the company's computers to extract sensitive documents, user credentials, and to obtain the business's financial data.
Vendors of wireless communication devices should implement better security and confidentiality communication protocols to protect against the unauthorized access to or use of personal information that may result in substantial harm to a consumer, public, or private institutions. Vendors should encrypt all wireless mice, keyboards, and dongles and make a full faith effort to address the existing security concerns of their unencrypted devices. Some vendors can issue a firmware update to fix the security concerns, however most mice and dongles were not designed for updates. Consumers of unencrypted wireless communication devices should check with their manufacturer for firmware updates or replace their unencrypted wireless communication devices immediately.