Earlier this week a security researcher responsibly disclosed 4 new vulnerabilities within Logitech products that use the USB Unifying receiver (a small black dongle with an orange star on it).
An attacker would need to be within range of the Unifying receiver (approx. 30 metres) to exploit some of these vulnerabilities. Others require physical access. Due to compatibility reasons; Logitech will only be patching 2 of these vulnerabilities in August 2019. To remain secure, you will need to physically secure (see the FAQ linked to below for specifics) the presentation clicker, mouse or keyboard from an attacker or use a wired keyboard or mouse.
Why should these vulnerabilities be considered important?
Before discussing the results of successfully exploiting these vulnerabilities; for an attacker to exploit these vulnerabilities they first either need to be nearby (approximately 30 metres) or to have physical access to your Logitech Unifying receiver (sometimes for a very short time) and preferably the device connected to it too.
The researchers GitHub page discusses all of the vulnerabilities (numbered 1 to 7).
Vulnerability 1 and vulnerability 7 don’t require physical access to the Logitech receiver or device but would require that the attacker is nearby (approximately 30 metres).
Vulnerability 4 needs physical access for some of the exploit to work. Using these vulnerabilities an attacker could inject arbitrary keystrokes into an affected receiver (leading to remote code execution), decrypt keyboard input and force a new device of the attacker’s choice to enter keystrokes which are sent to your system.
Affects of exploiting:
Vulnerability 1: keystroke injection
Vulnerability 2: keystroke injection Patched in 2016 (see my original post on this)
Vulnerability 3: keystroke injection
Vulnerability 4: keystroke injection and disclosure of the per-device link-encryption keys (the attacker could decrypt the data being sent between the receiver and the device)
Vulnerability 5: same as 4
Vulnerability 6: smaller scale keystroke injection and disclosure of link encryption keys of all paired devices
Vulnerability 7: Forced pairing of a device of the attacker’s choice to use for keystroke injection
How can I protect my organisation or myself from these vulnerabilities?
If your device offers a Bluetooth connection, switch to using it rather using the USB dongle. However this workaround is not without potential drawbacks. Nothing is ever totally secure but Bluetooth has had some notable vulnerabilities in recent years (BlueBorne, side channel attacks (defined) and BleedingBit).
If you have not already done so; check if an update is available for your Logitech Unifying receiver (the USB dongle) that were released in 2016. My post written back in 2016 provides all of the details to update affected devices.
Of the 4 remaining vulnerabilities disclosed this week; only 2 will be patched by Logitech. If they were to fix all 4 this would result in compatibility issues between the device and the receivers.
Please refer to the security researchers GitHub page frequently as further details and notifications of updates will be placed there.
According to Heise.de (a German website); I have Google Translated the section detailing how to physically secure your Logitech devices to protect against this:
“The necessary protective measures make it particularly difficult to work in a professional environment, as it can often not be guaranteed that no unauthorized persons can access the USB receiver, which is usually located in the back of the computer. An attacker only needs an unobserved moment and a few seconds to access the receiver in order to permanently attack the radio connection from a distance. If you want to be on the safe side, you should better take the Unifying receiver off the computer and take it with you. Basically one should ask yourself the question, if it has to be a wireless keyboard or mouse at all. Because the safest thing is still a cable connection.”
Copyright © 2019 Heise Media
My sincere thanks to Heise for this very useful explanation.
The other remaining and possibly the easiest method to remain fully secure is to use a wired keyboard and mouse but I realise for laptop users or those who use presentation clickers this really isn’t an option.
I own a lot of Logitech wireless mice; all with the Unifying receiver. I patched them all back in 2016. I will be patching them again as soon as possible and taking the receivers with me when away from my systems (not sure how I will tell which is which but I will come up with some means of telling them apart).