If you use a Logitech (LOGI) wireless mouse, keyboard or other device fix your dongle! The Logitech wireless dongle (officially Unifying Receiver) is vulnerable to an issue discovered in 2016 as well as newly discovered vulnerabilities unless you’ve updated the firmware. Download and install the latest firmware update to protect against vulnerabilities.
Mousejack attach
Affected Logitech wireless devices are vulnerable to a hack called “Mousejack.” Mousejack, (CVE-2016-10761) was first reported in 2016 by IoT security firm Bastille Networks, Inc. The Mousejack attach works by sending malicious radio signals (packets) wirelessly to an unsuspecting user through Logitech Unifying wireless technology. Logitech only partially fixed the hole (Cert VU#981271) in 2016. Mousejack uses the vulnerable Logitech Unifying receiver to intercept and inject unencrypted signals within a range of about 100 meters.
Incomplete fix
Logitech did not recall the Unifying Receiver back in 2016 when Mousejack appeared. Four new vulnerabilities were discovered in 2019. The new vulnerabilities are based on the incomplete 2016 fix. Logitech will only fix two of the four vulnerabilities, the others will remain unpatched. The vulnerabilities are logged as:
Logitech will not fix the holes identified in CVE-2019-13052 or CVE-2019-13053, both of which impact all Logitech Unifying devices. A Logitech representative told the Verge:
Logitech evaluated the risk to businesses and to consumers and did not initiate a recall of products or components already in the market and supply chain.
Logitech plans to patch the security flaws in CVE-2019-13054 (impacts Logitech R500, Logitech SPOTLIGHT) and CVE-2019-13055 which affects all encrypted Unifying devices with keyboard capabilities.
All Logitech USB dongles
Marcus Mengs, the researcher who discovered these vulnerabilities, told ZDNet the vulnerabilities impact all Logitech USB dongles that use the company’s proprietary “Unifying” 2.4 GHz radio technology to communicate with wireless devices.
Unifying is a Logitech standard dongle radio technology, and has been shipping with a wide range of Logitech wireless gear since 2009. The dongles are often found with the company’s wireless keyboards, mice, presentation clickers, trackballs, and more.
- Sniff keyboard traffic,
- Inject keystrokes (even into dongles not connected to a wireless keyboard)
- Take over the computer to which a dongle has been connected.
- Steal the encryption key between the dongle and its paired device
- Bypass a “key blacklist” designed to prevent the paired device from injecting keystrokes
Bastille Networks
Techsupportalert.com reports that many of the vulnerable dongles are still on the market even though Logitech started releasing updated dongles sold with mice, keyboards, and stand-alone receivers.
Hard to find firmware update
Not long after the discovery, Techsupportalert.com, says Logitech issued a firmware update but it was hard to find on the support site and wasn’t widely known. If you didn’t update the firmware then (and most of us didn’t know about it) now is an excellent time to update.
Even if you installed the Logitech drivers and configuration app that came with the device, you are not protected. The required firmware update is not included, it must be downloaded and installed separately.
Give credit to Logitech, their firmware can be updated, where other manufacturer’s wireless dongles cannot be updated. This includes products from Microsoft, Dell (DELL, HP (HPQ), and Lenovo (LNVGY). In fact, any device that uses the same Nordic Semiconductor or Texas Instruments (TXN) chips and firmware for wireless receivers is vulnerable. The NordicRF nRF chip is a common chip used in wireless keyboards, mice, and presentation tools, which are frequently found in non-Bluetooth wireless input devices.
If you use a wireless device from Logitech or the Lenovo 500 devices, Bastille recommends you update your firmware. Any other non-Bluetooth wireless devices should be disconnected and you should contact your vendor and ask what models are not vulnerable before you replace your current gear.
Lenovo’s announcement is here.
Logitech’s announcement is here.
Here are the direct download links to the Logitech Unifying Receiver firmware update for PC, Mac, and the gaming mouse:
- Logitech PC firmware update (zip)
- Logitech Mac firmware update (zip)
- Logitech G900 gaming mouse firmware update (zip)
rb-
You probably have an affected device on your network. Logitech has sold well over a billion mice. Users can recognize if they’re using a vulnerable dongle if it has an orange star printed on one of its sides.
If you have any extra Logitech wireless dongles around (I have several) you may want to update them.
You should also check back in with Logitech support, to see if the promised additional fixes will be forthcoming in August 2019.
Related Posts
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.