Tag Archives: mousejack

Logitech Unifying Receiver Vulnerabilities

====================
Update: 12th August 2019
====================
When the updates from Logitech are available; the links will be placed within the following forum thread:

https://support.logi.com/hc/en-001/community/posts/360033207154-Logitech-Unifying-Receiver-Update

====================
Original Post
====================
Earlier this week a security researcher responsibly disclosed 4 new vulnerabilities within Logitech products that use the USB Unifying receiver (a small black dongle with an orange star on it).

====================
TL DR:
An attacker would need to be within range of the Unifying receiver (approx. 30 metres) to exploit some of these vulnerabilities. Others require physical access. Due to compatibility reasons; Logitech will only be patching 2 of these vulnerabilities in August 2019. To remain secure, you will need to physically secure (see the FAQ linked to below for specifics) the presentation clicker, mouse or keyboard from an attacker or use a wired keyboard or mouse.
====================

Why should these vulnerabilities be considered important?
Before discussing the results of successfully exploiting these vulnerabilities; for an attacker to exploit these vulnerabilities they first either need to be nearby (approximately 30 metres) or to have physical access to your Logitech Unifying receiver (sometimes for a very short time) and preferably the device connected to it too.

The researchers GitHub page discusses all of the vulnerabilities (numbered 1 to 7).

Vulnerability 1 and vulnerability 7 don’t require physical access to the Logitech receiver or device but would require that the attacker is nearby (approximately 30 metres).

Vulnerability 4 needs physical access for some of the exploit to work. Using these vulnerabilities an attacker could inject arbitrary keystrokes into an affected receiver (leading to remote code execution), decrypt keyboard input and force a new device of the attacker’s choice to enter keystrokes which are sent to your system.

====================

Affects of exploiting:

Vulnerability 1: keystroke injection

Vulnerability 2: keystroke injection Patched in 2016 (see my original post on this)

Vulnerability 3: keystroke injection

Vulnerability 4: keystroke injection and disclosure of the per-device link-encryption keys (the attacker could decrypt the data being sent between the receiver and the device)

Vulnerability 5: same as 4

Vulnerability 6: smaller scale keystroke injection and disclosure of link encryption keys of all paired devices

Vulnerability 7: Forced pairing of a device of the attacker’s choice to use for keystroke injection

====================

How can I protect my organisation or myself from these vulnerabilities?
If your device offers a Bluetooth connection, switch to using it rather using the USB dongle. However this workaround is not without potential drawbacks. Nothing is ever totally secure but Bluetooth has had some notable vulnerabilities in recent years (BlueBorne, side channel attacks (defined) and BleedingBit).

If you have not already done so; check if an update is available for your Logitech Unifying receiver (the USB dongle) that were released in 2016. My post written back in 2016 provides all of the details to update affected devices.

Of the 4 remaining vulnerabilities disclosed this week; only 2 will be patched by Logitech. If they were to fix all 4 this would result in compatibility issues between the device and the receivers.

Please refer to the security researchers GitHub page frequently as further details and notifications of updates will be placed there.

According to Heise.de (a German website); I have Google Translated the section detailing how to physically secure your Logitech devices to protect against this:

====================
“The necessary protective measures make it particularly difficult to work in a professional environment, as it can often not be guaranteed that no unauthorized persons can access the USB receiver, which is usually located in the back of the computer. An attacker only needs an unobserved moment and a few seconds to access the receiver in order to permanently attack the radio connection from a distance. If you want to be on the safe side, you should better take the Unifying receiver off the computer and take it with you. Basically one should ask yourself the question, if it has to be a wireless keyboard or mouse at all. Because the safest thing is still a cable connection.”

Copyright © 2019 Heise Media
====================

My sincere thanks to Heise for this very useful explanation.

The other remaining and possibly the easiest method to remain fully secure is to use a wired keyboard and mouse but I realise for laptop users or those who use presentation clickers this really isn’t an option.

I own a lot of Logitech wireless mice; all with the Unifying receiver. I patched them all back in 2016. I will be patching them again as soon as possible and taking the receivers with me when away from my systems (not sure how I will tell which is which but I will come up with some means of telling them apart).

Thank you.

Are Your Mice Vulnerable To MouseJack?

In late May it was brought to my attention by a colleague that a potentially serious security vulnerability was discovered by Internet of Things security firm Bastille. This issue was disclosed earlier this year in February. It’s named MouseJack.

Why Should This Issue Be Considered Important?
While I use the term “issue” MouseJack consists of several vulnerabilities rather than just one. These vulnerabilities could allow an attacker to type commands of their choice into a victim’s computer from up to 100 metres away. The only equipment the attacker would need is a USD $15 USB dongle.

It’s important to point out that the vulnerabilities are within the firmware of a wireless keyboard/mouse USB dongle and not the mouse itself. Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

While the need to encrypt the data travelling between a wireless keyboard and the computer it is connected to was recognised and implemented by many well-known vendors (since keyboards are used to enter passwords and other sensitive data). The same encryption was not applied to the transmission of mouse clicks (and other buttons including scrolling wheels) from the mouse to the computer.

A proof of concept video demonstrating how these vulnerabilities can be used by an attacker was made available on YouTube and illustrates the vulnerabilities very well.


How Can I Protect Myself From These Issues?

I found this CERT security advisory very helpful in terms of next steps to follow.

Since I own a lot of Logitech mice and a keyboard it was fantastic to see that Logitech made available a security update that upgrades the firmware of the USB dongle to resolve these vulnerabilities.

While Lenovo did the same, they don’t allow end-users to install it and you need to contact them to arrange for an exchange of your devices (with Dell providing a similar response). Microsoft on the other hand issued an update for affected devices in a similar manner to Logitech that won’t require you to return your devices to them.

I have provided the links below to some of the vendor’s responses/updates below:

Lenovo
Dell (PDF)
Microsoft

A full list of the affected devices is available here. This page also provides further recommended actions.

All but one of my mice are Logitech Performance MX (which I purchased from 2009 onwards). Every dongle belonging to each of the mice had old vulnerable firmware installed (including a Performance MX purchased in March this year).

My mice had the following vulnerable versions installed:

  • 012.001.00019
  • 012.003.00025 (March 2016 mouse)

I followed the steps within this Logitech forum thread (please see the first post) to very quickly patch each of the USB dongles using one of my Windows systems. The mice continue to work as normal, but without the vulnerabilities.

The firmware versions of all previously affected USB dongles are now 012.005.00028

While my mice are not listed as affected, the Unifying USB dongle is present across almost all of Logitech’s product range making the Performance MX affected by association rather than directly.

For the spare Logitech keyboard and mouse (Logitech MK250) that I have, they are not affected by these issues since they use an older and much larger USB receiver. This receiver doesn’t have the Unifying technology that was vulnerable to these issues.

I verified that the firmware of the receiver was not affected by installing the Logitech Connect Utility v2.0.3.0. This is the equivalent of the newer Unifying software for this keyboard and mouse.

The firmware version was 015.000.00048 which is not in the affected range of the 012.xxx.000xx, 024.xxx.000xx that the Logitech update was designed to address.

I wanted to point this vulnerability out to those who use wireless keyboards and mice; they may also be vulnerable to this issue. For those fortunate enough to use Microsoft and Logitech peripherals you can install the necessary updates quickly and easily.

Many thanks to my colleague (you know who you are) for bringing these vulnerabilities to my attention.

I hope that the above information is helpful. Thank you.