New amazing Mic-E-Mouse attack revealed by researchers at UC Irvine, or how your High-DPI fancy gaming mouse can capture conversations by detecting desk vibrations and reconstruct user speech (“our computer mouse has big ears”)
Hackread posted this article:
But I can think of several ways to thwart this attack:
Throw your $300 flashy mouse away and buy a cheap $14.99 Low-DPI one
put a speaker on your desk near the offending mouse and let it reconstruct music
teach yourself and your colleagues sign language (and go to the bathroom for a call)
Or, the more obvious one, don’t run dodgy software! In principle, if you only run open source software then it should be obvious if the software is doing “advanced signal processing and machine learning” on the stream of mouse events.
Another possible mitigation would be to move the mouse unnecessarily. That is, it is not clear whether this attack only works when the mouse is not moving.
At some inconvenience, you could unplug the mouse when not in use. Or just flip it upside down?
I wonder whether it is possible to install a vibration generator on your desk surface, such that it is effectively generating random noise to be received by the mouse - but far too quiet to disturb the user’s ears.
An attacker only needs a way to collect the mouse’s packet data, which could be done through common software like video games or creative applications that naturally demand high-speed mouse data.
I assume that we are mainly talking about sandboxed environments. In a sandboxed environment, an application would need to ask to use a real microphone, and for some applications that would look quite suspicious and the user might well decline. In a non-sandboxed environment if you are going to run some dodgy blackbox video game, it can just use a real microphone and messing around with mouse events is rather unnecessary.
Some video games, particularly online ones, legitimately use the microphone, whether sandboxed or not.
Of course it is also possible that the computer has no attached microphone (or no functioning attached microphone), which is where this attack would really come into its own.
There are also other attack surfaces as using your mouse on browser. I mean, we already have pixel-sized tiles that track your mouse and scripts that do all kind of creepy things.
The issue I see: a cheap 20€/$ mouse cannot do more advanced things people like me rely on. It’s not so much about DPI, but more about 4-way mouse wheel, extra buttons, “programmable” (using a GUI to create macros) etc. It is hard enough to find something that meets my current requirements and it becomes even harder to find a mouse that is able to prevent this data.
But it could be pretty easy to prevent. Just create an open source mouse with free firmware as QMK and build in a functionality to collect all light data of 5ms or similar together to send it to PC. 5ms would be 200Hz while keeping high precision even of 20kDPI … our voice is around 80Hz to 12kHz. It should prevent software from understanding things while firmware is trustworthy.
But who is creating such mouse? Purism? They may produce one, but I’m sure not in the quality as people as me need it. In fact, there is no single mouse on market that meets my requirements, while I only choose between already existing features…
For example, how about using one of these mosquito sonic repeller device that emits ultrasounds at ~22kHz? Put it on your desk near the mouse - since those devices are using a piezzo-electric emitter, this vibration would “drown” the mouse in an ocean of noise (if idle) but would not affect the optical sensor picking up motion as usual when you use the mouse. And since we humans don’t hear these higher frequencies; this wouldn’t bother you in any way.
I’m not sure that this will work. Why? Because AI could propably remove this much easier than you think. Especially if it does not mix up with human voice frequency. It’s like mono-input background noice cancelation like Krisp AI.
With the huge increase in the number of employees working remotely since COVID and employers wanting to try to make sure the employee is putting in a full day, you should not be surprised that you can easily buy a “mouse jiggler”. I’ve seen this in action. They cost about $20.
I was going to say the same thing except that you don’t even need AI. The vibrations have to interfere with the voice frequencies. If the interference is all at such high frequencies then it must be readily possible to filter them out (software band-pass filter).
That said:
There is no harm (as a hypothetical) in testing it out.
The repeller may be quite “noisy” i.e. not sticking to ultrasonic frequencies. I bought one once and I could hear noise coming from it and that was annoying so I returned the device for a refund. (For the avoidance of doubt, I am not a bat or a dog - but they do say that on the internet nobody knows you’re a dog so you will have to take my word for it.)
The research paper itself offers:
C. Countermeasures
Mouse Pads. Requiring a signal-absorbing mouse pad reduces vibration-based eavesdropping with minimal user disruption.
).