Your gaming mouse may be spying on you—and AI is making it possible. UC Irvine researchers just proved that high-performance mice from major manufacturers can be transformed into covert microphones that capture conversations through desk vibrations. The sensors powering these devices come from Sunnyvale's PixArt Imaging, and the affected mice are made by companies with deep roots here in the Bay Area, as well—Razer, Logitech, and Corsair among them.
The security researchers have developed what they're calling "Mic-E-Mouse," a technique that exploits the advanced sensors in gaming mice to covertly eavesdrop on users. The vulnerability affects mice with polling rates of 4,000 Hz or higher—specifications increasingly common in affordable gaming peripherals that now cost under $50. And here's the kicker: many of the affected devices are manufactured by companies with deep Bay Area roots.
PixArt Imaging, operating its U.S. headquarters from 1263 Oakmead Parkway in Sunnyvale, manufactures the Paw3395 and Paw3399 sensors identified as vulnerable in the research. According to company information on LinkedIn, these sensors power dozens of consumer mice from major manufacturers. Corsair, headquartered in nearby Milpitas, uses PixArt sensors including the PMW 3392 in its gaming mice. Logitech, with its U.S. headquarters in San Jose, famously co-developed the PMW3366 sensor with PixArt—though the company has since moved to its own HERO sensors.
Razer, which opened its first U.S. RazerStore in San Francisco in 2016 and maintains offices in the city despite having its U.S. headquarters in Irvine, manufactures the Razer Viper 8KHz—one of the mice specifically tested in the UCI research, as reported by Razer's newsroom. The company uses customized versions of PixArt sensors branded as "Focus" and "Focus Pro."
The research demonstrates how acoustic vibrations from human speech travel through desk surfaces and are detected by a mouse's optical sensor, which can sample data up to 8,000 times per second. Using signal processing and machine learning, according to research published on arXiv, the UCI team achieved speech recognition accuracy between 42% and 61%—enough to capture sensitive portions of conversations.
How the Attack Works
The attack doesn't require sophisticated hardware, just a compromised computer running software that can access mouse sensor data. The researchers tested their pipeline on popular mice including models from Razer, Darmoshark, and AtomPalm, all equipped with sensors capable of detecting minute surface vibrations induced by sound waves.
What makes the vulnerability particularly concerning is that it doesn't require system-level permissions, according to the researchers' project website. User-space applications—including graphical software, open-source games, or even compromised web browsers—can collect this sensitive data and transmit it remotely. The researchers demonstrated proof-of-concept exploits through modified versions of applications like creative editing software and the open-source game OpenBlok.
The Technical Details
The Mic-E-Mouse pipeline works by first collecting non-uniform mouse sensor data, then applying signal processing techniques including Wiener filtering to reduce noise. A neural network model trained on speech datasets finally reconstructs intelligible audio from the processed vibration patterns. According to the research paper, the system improved signal-to-noise ratio by up to 19 dB in controlled environments.
Not all surfaces are equally vulnerable. The researchers found that plastic and paper surfaces transmitted vibrations more effectively than thick cardboard or rigid materials. Speech volume also matters—conversations at typical office levels of 60-80 decibels were most successfully captured, while quieter discussions degraded accuracy significantly.
Who's at Risk?
The research identifies 26 commercially available mice vulnerable to this attack, according to the paper's appendix, with prices ranging from $35 to $350. As sensor technology continues to advance and costs decrease, more consumers, businesses, and government entities are adopting these high-performance devices—expanding the potential attack surface.
The vulnerability is particularly relevant for remote workers and sensitive environments where microphone-free computers are used for confidential discussions. The attack scenario outlined by the researchers involves a victim engaged in a sensitive conversation in a room with a desktop computer lacking a microphone, where an attacker exploits the mouse to recover speech signals.
Defensive Measures
The UCI researchers have disclosed the vulnerability to affected vendors, including PixArt Imaging, and filed for a CVE under "Improper Protection of Physical Side Channels," as noted in their published research. They suggest several countermeasures: using signal-absorbing mouse pads, blacklisting vulnerable devices through IT policies, or maintaining approved peripheral lists in security-sensitive environments.
Firmware updates that limit the amount of sensor data exposed could also mitigate the risk, though such changes would require cooperation from mouse manufacturers and sensor companies like PixArt Imaging. The research team emphasizes that their disclosure aims to raise awareness rather than enable malicious use—all attack code has been kept in private repositories.
The Broader Context
This research follows a pattern of side-channel attacks that exploit everyday devices for surveillance. Previous examples include extracting audio from light bulb vibrations (Lamphone), using LiDAR sensors in robot vacuums for eavesdropping (LidarPhone), and even recovering cryptographic keys through acoustic analysis of computer processors, according to related research cited in the paper.
The rise of work-from-home policies has made these vulnerabilities more relevant, as employers have less control over the physical security of their workforce's computing environments. The researchers note that while their attack requires some level of system compromise, the accessibility of user-space mouse data makes it easier to execute than many other side-channel attacks.
The UCI team's name choice—"Mic-E-Mouse"—was inspired by "a certain fictional mouse with big ears," a playful reference that belies the serious security implications of their findings. As high-performance gaming peripherals become mainstream productivity tools, the line between enhanced user experience and potential security vulnerability continues to blur.
