Hacking Wireless Mice with an NES Controller

Presented at ToorCon San Diego 17 (2015), Oct. 24, 2015, 1 p.m. (50 minutes)

Remember the original NES controller? With a bit of hackery, you can use it to control someone else’s wireless mouse! (If this happened to you at DEF CON, my sincere apologies.) I will show that it is possible to wirelessly compromise a computer that utilizes a Logitech Unifying mouse or keyboard/mouse combo. The transceiver chip supports AES-128 encryption, but this is only enabled for a subset of keyboard transmissions. Mouse packets, keyboard multimedia key press packets, and ACKs are transmitted in cleartext. I reversed engineered the Logitech frame format and constructed a Teensy-based NES controller which functions as a portable attack platform. The controller identifies nearby devices, allowing it to record movement/click data as well as inject malicious frames. Utilizing the controller’s d-pad and buttons as input, it can control arbitrary Logitech mice in the vicinity. In this talk, I will show how it is possible to infer operating system type and display configuration from a passively collected heatmap of mouse movement data. I will then demonstrate applying that information to an active attack. Once the OS type and display configuration are known, it is possible to bring up an on screen keyboard, and inject mouse frames to simulate key presses and download/execute a malicious payload.


  • Marc Newlin
    I am an engineer and IoT security researcher at Bastille in Atlanta, GA. I previously worked at the Fundamentals of Networking Laboratory at the University of Washington (where I had the interesting distinction of never having gone to college). I competed in the DARPA Shredder Challenge in 2011 where I wrote software to reassemble shredded documents, finishing the competition in third place. In 2013-2014, I was a finalist in the DARPA Spectrum Challenge, which served as my introduction to the world of SDR and wireless communication.

Similar Presentations: