News Categories

Take note if you are a using a Logitech Unifying USB dongle, they are wildly insecure

By Kenny Yeo - on 21 Jul 2019, 10:28am

Take note if you are a using a Logitech Unifying USB dongle, they are wildly insecure

Note: This article was first published on 21 July 2019.

Logitech's Unifying USB receiver (Image source: Wikipedia)

Security researcher, Marcus Mengs, has discovered more vulnerabilities in Logitech's Unifying USB receivers.

This isn't the first time that Logitech's Unifying USB receivers have been found to be insecure. Earlier this year, we reported that some of Logitech's mice were still susceptible to the Mousejack keystroke injection attack.

MouseJack was highlighted as early as 2016 but Logitech still ships devices that are vulnerable to this attack. I recommend reading our earlier report to know how MouseJack works.

Now, Mengs has discovered new vulnerabilities that allow attackers to sniff keyboard traffic, inject keystrokes (even into dongles not connected to a wireless keyboard) and even take over computers which are connected to Logitech's USB receivers.

For example, if attackers can capture the pairing action between a Logitech wireless device and the Unifying USB receiver, he or she can then recover the encryption key used to encrypt traffic between the two components.

With the stolen key, the attacker can then inject keystrokes, eavesdrop and decrypt keyboard input immediately — effectively becoming a live keystroke logger.

Wireless Logitech devices that are reliant on the Unifying USB receiver like the M510 are susceptible to these attacks. (Image source: Logitech)

In another example, Mengs said that it is possible for an attacker to inject keystrokes into a system connected to a Unifying USB receiver even if the attacker did not have the encryption key.

It sounds scary, but fortunately for this attack to work, the attacker needs physical access to the devices.

However, all it takes is for the attacker to press between 12 to 20 keys to record a sample of encrypted traffic. With this sample, the encryption key can be recovered and the attacker can inject keystrokes.

Most worrying of all, however, is that Logitech reportedly does not have plans to patch all of these newly discovered vulnerabilities.

If it's any consolation, these vulnerabilities do not affect devices connected over Bluetooth. So if your Logitech device supports Bluetooth, use Bluetooth instead. Alternatively, switch to a wired keyboard or mouse.

To read about the vulnerabilities in detail, click the links below.

Source: Marcus Mengs via ZDNet

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.