If you're using an HP Inc wireless keyboard/mouse combo and the cursor starts behaving badly, someone might be pranking you.

That's because the wireless mouse in the ERK-321A bundle is unencrypted: anyone can sniff its signals, learn its protocol and commands, and inject their own signal in a spoofing attack.

German pentesters Syss reported the bug to HP Inc in March, got no response, and went public yesterday.

They used a Logitech USB radio dongle, research firmware from Bastille and custom software to create their proof-of-concept.

With that, if a user's workstation was unlocked, the pentesters could send “a list of mouse actions that start the virtual on-screen keyboard of the operating system and execute arbitrary commands in the context of the currently logged in user, for instance a download and execute attack vector.”

If the attacker can see the victim's screen, it's easy, but the notice says a bit of extra heuristic smarts can run an attack even without seeing the screen: with heuristics.

They note that the attack isn't operating-system specific. ®