Sustainability Navigation

Logitech Response to Research Findings

Answered

Comments

28 comments

  • Zdenek Jindra

    Thanks to Logitech for developing a fix. But it should have been easier. The regular Unifying software had a Check for Updates button, but never offered this fix. I fancy myself a power user and it still took me about 10 minutes to find this after reading about this vulnerability on a random IT news website.

    3
    Comment actions Permalink
  • Alan Leghart

    "To our knowledge, we have never been contacted by any consumer with the issues reported by Bastille..." --@Laurie Corona? 

     

    Hi. I'm a consumer. But I also work in I.T. We got mouse-jacked. Luckily, the pen tester was hired by us. He executed several scripts without ever exposing his Raspberry Pi hidden in a clipboard. The flash on the screen was so brief, all he had to do was hold up his clipboard to distract us for half a second.

     

    This method is used to install back-doors and memory scrapers. They can get admin credentials that are still resident in RAM. Then, they don't need to look for wireless mouses any more. They can RDP and script their way through the rest of the network.

     

    Yes, the memory scrapes are exploiting vulnerabilities from OS that aren't under the control of Logitech. But, the m570 was the virtual keyboard that gave the hacker access to the OS from across the room.

     

    The solution was not to write a letter to Logitech begging for updates. It was budgeting to dispose of the exploitable technology and move to Bluetooth or USB-wired input devices.

     

    This response from Logitech seems very condescending.

    3
    Comment actions Permalink
  • apao

    The firmware update tool that you provide (SecureDFU_48.exe) to address a security vulnerability with your Wireless Unifying receiver and Wireless Keyboards cannot be run silently. Other enterprise users on this official announcement page have complained about the same. We need a way to A) silently run the tool to update our devices and B) a way to remotely scan these devices to identify that their firmware has been updated.

     

    Just an idea... Could you all possibly create an additional PnP device ID string with an additional that can be used as an identifier indicating the firmware level? This would greatly help enterprise IT staff deploy this fix.

    Example:

    • Standard PnP device ID string for a wireless Logitech keyboard:
      HID\VID_046D&PID_C52B&MI_00

    • PnP device ID string w/ FW revision:
      HID\VID_046D&PID_C52B&MI_00&FW_02

    Would it be possible to update the firmware update tool to A) run silently and B) append a &FW_## string to the hardware device ID list for that device?

    3
    Comment actions Permalink
  • Nathan Nally

    Hi - Are there any silent switches available to deploy this across an enterprise envionment where there are many devices? Manually updating dongles one at a team isn't very reasonable. Also, is there way to inventory the firmware versions??

    2
    Comment actions Permalink
  • Tim Rausch

    Is there a way to silently run the SecureDFU_48.exe application? I'm talking about hundreds of dongles that need updates.

    2
    Comment actions Permalink
  • Dogman From Space

    Hi Logitech:

    Why has Logitech made this page so difficult to find?

    Just about any links that one finds redirects to the support.logi.com landing page and searching for "Logitech Response to Research Findings" from the support.logi.com landing page does not give any results.

    It is the same for the firmware update tool.

    Is Logitech serious about fixing this?

    2
    Comment actions Permalink
  • Clay

    We have a Windows server running out security system with a K830 keyboard and unifying dongle purchased a few years ago and 2 days ago hackers gained access to the machine, stealing all the saved logins from the browser and using the computer remotely to place online orders. $1600 spent via PayPal on a phone and iTunes gift cards before we cottoned on. We run a tech savvy business and a lot of care is taken when it comes to security and we couldn't work out how this happened, then a friend forwarded a link to an article about this exploit and it all made sense. God knows how much this could (and maybe will) cost our business. Consider this contact from a consumer reporting the issues reported by Batille. We had the Unifying software installed, why wasn't it able to update the firmware on the dongle and/or keyboard? We had to download this separate tool to upgrade both.

    2
    Comment actions Permalink
  • Jeff Jackson

    I'm going to post this here and on the more recent security bulletin.

    I have a NON-unifying receiver, C-U0010. It appears vulnerable to this mousejack attack. Was able to write a short 'duckyscript' to tell it to type 'Hi' and it worked just fine.

    I see these updates for Unifying receivers but nothing at all for non-unifying ones. And this receiver was bought this year from the local Target, with an M-R0061.

    Are you intending to leave anyone who chose a mouse with a design on it open to this vulnerability?

    2
    Comment actions Permalink
  • Robert Frapples

    I am supposed to download and run an executable from some random S3 bucket because a link was posted by some person who may or may not be a Logitech employee?! No way am I doing that.

     

    I guess this is the kind of security that I should expect from a company that sells wireless mice that let attackers send arbitrary keystrokes.

     

    Seriously Logitech, put this with the rest of your downloads here https://support.logitech.com/en_us/downloads

     

    Until this is fixed, my beloved M570 is sitting on a shelf and I am not buying any more Logitech products.

    1
    Comment actions Permalink
  • Tim Rausch

    @Laurie Corona? 

    Deploying Logitech software (Options) and these firmware updates in an enterprise environments are terrible! IT administrators have to jump through hoops to identify and update this stuff. Can you push the idea of silent installs to the dev team?

     

    Also, we have to track these vulns and remediate them to comply with audits! Yeah, this may be a super unlikely and hard to implement attack but auditors don't care!

    1
    Comment actions Permalink
  • Lukasz Biegaj

    @Laurie Corona? is there a firmware update available for Linux users?

    1
    Comment actions Permalink
  • Zdenek Jindra

    This mousejack attack got into the news last week. Again. And some new Logitech pieces were still affected. I do appreciate the patch, but please start taking this problem seriously.

    1
    Comment actions Permalink
  • Randy woodruff

    Has anyone been able to find a way to silently install other than using Auto IT? I have thousands of users that need this patch. Ideally I would like to use SCCM to deploy.

    1
    Comment actions Permalink
  • Jim Allen

    Any fix for PCs running Ubuntu?

    1
    Comment actions Permalink
  • Zdenek J

    @James5394  Unplug the receiver and bring it to a Windows computer along with a flash drive with the patch. And hope that you have a supported hardware revision. This won't patch some of them. Note the firmware of your receiver prior to flashing in the Unifying software and verify that it has changed after the patch. The patch doesn't change anything in the OS; it stays in the dongle.

    As much as I'd like to roast Logitech for the arrogance, they are still the only ones to produce some solution. Dozens of other manufacturers left the vulnerability in ignoring it altogether.

    1
    Comment actions Permalink
  • Wojtek Kowalczyk

    @apao Logitech has released a CLI tool for enterprise customers in an update thread here. Not sure if it suits your needs, but may be worth a try.

    1
    Comment actions Permalink
  • LogiLaurie

    Note: if you have K780 MULTI-DEVICE WIRELESS KEYBOARD, K375s MULTI-DEVICE KEYBOARD, WIRELESS TOUCH KEYBOARD K400 PLUS, MK850 PERFORMANCE or ILLUMINATED LIVING-ROOM KEYBOARD K830 connected with your Unifying receiver, the tool will guide you to update the firmware on the keyboard as well.

     

    Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any customer with such an issue related to this potential vulnerability.

     

    0
    Comment actions Permalink
  • Erin Dente

    Is an update available for Chrome? If so, where can I find it? The version available for download is from 2014. Thanks!

     

     

    0
    Comment actions Permalink
  • Jason Goodfellow

    This firmware update is incomplete

     

    I have 9 Unifying Dongles

     

    1 x 012.000.00017 M/N: C-U0003 (Updated to 012.008.00030 fine with SecureDFU_48.exe)

    2 x 012.001.00019 M/N: C-U0003 (Wont update with SecureDFU_48.exe)

    2 x 012.001.00019 M/N: C-U0007 CE Stamp (Wont update with SecureDFU_48.exe)

    2 x 013.000.00026 M/N: C-U0004 (Wont update with SecureDFU_48.exe)

    2 x 024.000.00018 M/N: C-U0008 CE Stamp (Updated to 024.006.00030 fine with SecureDFU_48.exe)

     

     

    the 4 devices on

     Version:             RQR12.01_B0019

     VersionBootloader:   BOT01.02_B0014

     

    its an omission on your part i updated them on linux to

     Version:             RQR12.07_B0029

     VersionBootloader:   BOT01.02_B0014

     

    then proceeded to update with SecureDFU_48.exe on windows to

     Version:             RQR12.08_B0030

     VersionBootloader:   BOT01.02_B0014

     

    With regards to my 2 x 013.000.00026 M/N: C-U0004

    you seem to have not released any firmware for them

     

     

    can we get a firmware for

    013.000.00026

    0
    Comment actions Permalink
  • Jonas Müller

    Hi all!

     

    is this hardware vulnerability still present in the newer models of unifying receivers? (2018 Models M/N:C-U0012)

    Did they change the hardware design of these newer receivers to shut the hole, or are they "only" firmware patched (and might therefore still be vulnerable....)?

     

    0
    Comment actions Permalink
  • Nathan Nally

    Only way my team found to automate it is to use AutoIT to wrap it and press the keyboard shortcuts (I think it was ctrl + space).?

    0
    Comment actions Permalink
  • LogiLaurie

    Hello @Robert Frapples? 

     

    This is LogiLaurie, the Community Admin.

     

    I understand your concern and thank you for your feedback.

     

    The potential vulnerability is a difficult and unlikely path of attack. We've never, to our knowledge, been contacted by a customer with an issue related to this. Nonetheless, we take security seriously and are working to investigate this further.

     

    The Amazon S3 bucket is a secure storage service used by Logitech and we will take into consideration your feedback on adding it on the downloads page.

     

    Best regards,

    LogiLaurie

    Community Admin

    0
    Comment actions Permalink
  • Zdenek Jindra

    @Laurie Corona? 

    I appreciate the confirmation. I must, however, notify you of a corporate fallacy of claiming of not having received complaints. Not only is the problem identification rate very low, but companies also avoid mass communication they can't handle. It probably took an article on a high-impact news server for you to notice. Thousands of individual e-mails would never be taken into account.

     

    @Robert Frapples?

    That purist attitude just doesn't work. Maybe if you're only doing new machines with all support media included.

    0
    Comment actions Permalink
  • Ian Warrington

    Hi there,

     

    On my Mac I have the "Logitech Options" software installed which regularly prompts me for updates. Would this software automatically update my device(s) with this patch?

    0
    Comment actions Permalink
  • zspider1011

    will this update the firmware on the WIRELESS TOUCH KEYBOARD K400 also? I ran the software on my Mac but it didn't prompt me to update the firmware for the keyboard.

    0
    Comment actions Permalink
  • John Angelo Carandang

    Wheres the updated link for mac?

    0
    Comment actions Permalink
  • Minh Duc Nguyen Huu

    When does logitech release a patch for Logitech G304?

    0
    Comment actions Permalink
  • Andrew Pilling

    Why not just sell a wired version of your wireless products that are affected? I'm a huge fan of the wired wave keyboard and have to go out of my way to find resales of the wired version which Logitech has chosen to no longer sell. I don't want to have to stock batteries for the wireless version, and in working in close proximity to offices, above, below, and all around mine (some of which have folks with something to prove) I don't trust anything wireless to not eventually be compromised. Logitech's hubris about its wireless offerings is immensely disappointing, despite the great design of the wave keyboard.

    0
    Comment actions Permalink

Please sign in to leave a comment.