Sustainability Navigation

Logitech Unifying Receiver Update

Pinned

Comments

80 comments

  • Official comment
    Logi Moderator

    Hello Everyone,

    A firmware update for the Unifying technology USB receiver was released on the 28th August, 2019. This addresses the reported 'Encryption Key Extraction Through USB' vulnerability (known as CVE-2019-13054/55). 

     

    Comment actions Permalink
  • Alexander Draxler

    Where can i find the most current firmware for the receiver? ...the one that procedes the one coming out in august?

    4
    Comment actions Permalink
  • Logi Moderator

    Hi Alexander7052,

    Two of the vulnerabilities (known as CVE-2019-13053 and CVE-2019-13052) would be difficult for an attacker to exploit and can be effectively protected against by applying the computing privacy guidelines above. We won’t address these with a firmware update as this would negatively impact interoperability with other Unifying devices.  However, we take security very seriously and we recommend our customers update their wireless Unifying USB receivers to our current latest firmware. 

    We are actively working on a further firmware update that will address the third vulnerability (known as CVE-2019-13054/55). We expect this to be available for all applicable devices in August, 2019. We will update this page with more information at that time.

     

    Warm Regards,

    Logi_Elie

    1
    Comment actions Permalink
  • Mark Wilson

    A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer. 

    Regarding the three justifications for deliberately and knowingly leaving this vulnerability in place:

    Expertise: It takes one person to do it. It's been done. Once it's been done by one person it can be done again. Now, this person has given you the opportunity to repair this flaw before someone less ethical is able to exploit it. You've chosen to ignore this opportunity in the majority of these proven exploits - now it's likely just a matter of time before someone less empathetic and ethical achieves the same, thanks to your deliberate and wilful ignorance of the first person's good work.

    Special equipment: 2.4GHz sniffers are not expensive. Here's a documented 2.4GHz hardware-level sniffer project for less than $30 that works over all protocols on that spectrum: http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html and that's just in the first few google results

    10m range (Given no signal boosting on the transceiver?): Even a 10m range is significant range of vulnerability. Consider someone in an apartment building - how many strangers live within 10m? Someone with their computer in the front-most room of their house would be within 10m of attackers in a car on the street. The probability of range and nefarious actors coinciding may be low in a residential environment, but that doesn't entirely preclude the extreme vulnerability that you're choosing to ignore.

    Physical access: Physical access restriction should always be maintained for many computing tasks, of course, but many of these vectors don't require physical access at the time of attack, merely a nearby presence at the time of pairing. For physical access restriction and person vicinity to now be a factor that should be considered as a result of these vulnerabilities is a weak workaround and frankly a non-attempt at resolution.

    I'd also add that physical access isn't as cut-and-dry as protecting your dongle or devices physically-connected to your PC. If a malicious colleague or co-resident simply re-pairs your keyboard or mouse in your absence to their receiver, they need only wait and continue sniffing in order to have a guaranteed vector of attack without continuing physical access.

    If you could somehow elaborate on how "this would negatively impact interoperability with other Unifying devices", as you put it, perhaps I could have some sort of empathy for your decision to leave a publicly-documented attack vector go unpatched.

    As a user and purchaser of your Unifying technology at home and work I am eagerly awaiting your response, as it will have an effect on our choice of hardware moving forward.

    7
    Comment actions Permalink
  • Logi Moderator

    Hi Mark Wilson,

    Thank you for your message. We'd like to reassure you that our decision regarding CVE-2019-13053 and CVE-2019-13052 is made in full consideration of the work of this security researcher. We've been in contact with the researcher since he first made us aware of his findings and we made a decision based on our full understanding of risk. A firmware fix to address these vulnerabilities would make the updated receiver incompatible with some older mice or keyboards.

    -7
    Comment actions Permalink
  • Mark Wilson

    You've taken a deliberate decision to favour legacy devices and retain the vulnerabilities across the entire Unifying system, rather than ensuring the security of current and future devices.

    I have zero empathy for you ACTIVELY-MAINTAINING a risk because your new hardware might be safe at the cost of legacy hardware being incompatible.

    Let's promulgate the security risk instead. That makes much more sense, and shows how valuable your customer's security is to you.

    Given these issues, who do I seek regarding a refund for now-deliberately-vulnerable hardware? And have you considered the implications of continuing to sell these vulnerable devices in countries where consumer law puts the onus on you for the faults you create - and particularly the faults you refuse to repair.

     

    This is completely unethical.

    8
    Comment actions Permalink
  • Janne Kujanpää

    Why two last sentences of the article tells that new firmware is not yet available? IMO it should be first sentence of the article!

    2
    Comment actions Permalink
  • Mateusz Niepodam

    Is there a way to disable possibility of re-pairing devices to dongle completely (permanently)- leaving the possibility to connect only with already paired devices? According to vulnerability finder "attacker with physical access to device and receiver could manually initiate re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key." (https://github.com/mame82/misc/blob/master/logitech_vuln_summary.md#4-passively-obtain-logitech-unifying-link-encryption-keys-by-capture-of-pairing-rf-only-no-patch-from-vendor). As far as I understand functionality from my question would protect from such vector of attack.

    1
    Comment actions Permalink
  • ksavage

    The Logitech support page has an invalid HTTP certificate.   The error I get back is:

    DLG_FLAGS_SEC_CERT_CN_INVALID.  "The hostname in the website's security certificate differs from the webite you are trying to visit.   

    From a security perspective, this is very bad.  It means most people will never get to the support page (because the browser warns them to stay away), and that the support page isn't secure.   Definitely something to fix asap.

    1
    Comment actions Permalink
  • David Pinto

    Hi, I have the CRAFT keyboard ... where can I find the update for mac ?

    2
    Comment actions Permalink
  • Aaron Rosenfeld

    How about:

    • Creating a patch for the two vulnerabilities that would drop support for legacy devices
    • On patch installation OR on new device installation after patch installation:
    • The installer checks the list of currently installed devices
    • If any of the installed devices are legacy, the installer informs the user of the security/compatibility tradeoff, and lets them choose whether or not to install/rollback the patch
    • If the consumer chooses to eschew the patch in favor of compatibility, link them to a how-to to address the vulnerability at the OS level.

    There. I just pseudocoded a solution.

    I'm pretty sure you guys can implement something like this, instead of expecting your average consumer to make OS settings changes to address your vulnerability.

    4
    Comment actions Permalink
  • John Angelo Carandang

    Wheres the updated link for mac?

    7
    Comment actions Permalink
  • Anish S

    How can I update my unifying receivers for the Mac?

    5
    Comment actions Permalink
  • Richard Bragg

    Please ensure there is a method to apply for Linux.  Thanks.

    4
    Comment actions Permalink
  • mbalcerak

    Where is the link to the "computing privacy guidelines" mentioned above? 

    0
    Comment actions Permalink
  • Sim Brar

    We have several such devices deployed in our organization to users with mac devices. Where can the mac firmware upgrade be found?

    1
    Comment actions Permalink
  • Jeff Jackson

    I have a NON-unifying receiver, C-U0010. It appears vulnerable to the MouseJack attack. Was able to write a short 'duckyscript' to tell it to type 'Hi' and it worked just fine.

    I see these updates for Unifying receivers but nothing at all for non-unifying ones. And this receiver was bought this year from the local Target, with an M-R0061.

    Are you intending to leave anyone who chose a mouse with a design on it open to this vulnerability?

    3
    Comment actions Permalink
  • Mark Wilson

    @Jeff

    Thanks for the testing. That's bloody scary.

     

    @logitech what the hell?

    2
    Comment actions Permalink
  • Linux User

    1. So far no mention of support for Linux users. 

     

    2. How about letting the customer choose whether backwards compatibility is something they need rather than leaving everything vulnerable? I'd rather do the security tradeoff decision myself and choose whether to apply an update rather than have you do it for me.

    2
    Comment actions Permalink
  • JS

    It is very disappointing to read that only one of the three vulnerabilities will be patched. It was bad enough to have to manually update firmware on hundreds of keyboards to remediate the MouseJack vulnerability, now we will need to scrap them all and likely drop Logitech as a supported vendor.

    2
    Comment actions Permalink
  • Mark Wilson

    Called Logitech support (1800 02 55 44 in Australia) to discuss the matter. They're aware of the general issue. They're seemingly-unconcerned. They certainly aren't aware of the queries we have been posting in this topic. They most definitely weren't aware of Jeff's replication with non-Unifying hardware.

    Have received an email from Art, VP Head of Mainstream Creativity & Productivity, but so far that's just been lip service and reported understanding of our concern. Given his role in the org I was happily-surprised to receive an email from him, but not surprised he hasn't had the time to respond. It's been five days now. I'm assuming his schedule's a bit booked, but I would have appreciated the issue being delegated to someone who was able to discuss the issue or read our updated collective concerns.

    Have called support again today and been told they can't assist because they're just a helpline, and I'm having a hell of a time transferring through to any department other than L1 support, whereas last time they transferred me to a relevant department immediately - that's the luck of the draw on call centre staff, I guess.

    They want to a ticket and treat it as a support issue; I want to discuss my concerns with someone who actually understands them and is in a position to direct them somewhere immediately-useful. The severity of this issue is increasing while the level of communication from Logitech does the opposite.

    Still on the phone with them. I recommend you get the number for your country and directly-relay your concerns to the operator who picks up. Be nice (L1 helpdesk is not a fun job when it's not a L1 issue), but be direct in your demands for a resolution.

    Considering the expense of replacing all wireless Logitech hardware, I've got hours to go yet before the time on the phone costs more than replacing the hardware.. plus with the time on hold, I still get plenty of work done. :)

    2
    Comment actions Permalink
  • Mark Wilson

    https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=logitech 

    No updates to the CVEs regarding Jeff's ability to replicate the issue with a non-Unifying receiver. I'm guessing they haven't tested it, or haven't bothered reading anyone's responses to this post in a while. I've never seen a support department go into hiding before - it's a remarkable and horrifying thing.

    Called vendor enquiring about refunding/replacing the insecure devices - they pointed us at Logitech.

    Why the hiding, support team? Will you reply some time in August when you've patched ONE of the vulnerabilities and ignored the rest? Will you even respond to the helpful suggestions put forward by other people in this post since Logi Moderator posted and then disappeared?

     

    1
    Comment actions Permalink
  • Iain S

    After updating the firmware on my Unifying receiver, my T400 touch mouse has lost middle click functionality. Attempting to reconfigure it via SetPoint doesn't have any effect.

    If I swap out the updated Unifying receiver for an unpatched one, then re-pair my mouse and keyboard, middle mouse functionaity is restored.

    4
    Comment actions Permalink
  • Tuấn Ngô

    My unifying receiver completely broke after the update, now i cannot connect the mouse to the receive. My mouse is M585 and it's fine (i tried to connect it to a new receiver, it worked perfectly).

    Is there anyway to downgrade this firmware? I don't want to buy a new receiver.

    4
    Comment actions Permalink
  • Marjory Montgomery

    Applying the update BROKE my non-Logitech mouse.  I can no longer use the left click menu. I tested by removing the unifying receiver and the menu returned. 

    -1
    Comment actions Permalink
  • Пожилой хардвэйдер

    Hi, Пожилой хадвэйдер.

    We will consider your appeal as soon as possible.

    Expect.

    0
    Comment actions Permalink
  • NATWAR CHAUHAN

    THANKS

    0
    Comment actions Permalink
  • Jeff Jackson

    So, still nothing about the non-unifying wireless devices you produce.

    I had already decided to switch to bluetooth when I found out about the unpatched mousejack in the non-unifying devices.

    So I have one more Logitech product. An M535. My Keyboard's a nintendo bluetooth keyboard that was included with a Pokemon game.

    I'm not buying anymore logi/logitech products if this remains unfixed. (Yes, Bluetooth isn't much better, but it's more of a pain to take advantage of than your 2.4GHz wireless protocol)

     

    Maybe explaining it better will help. For a hacker or any techie malcontent, this is just as bad as leaving your OS unpatched and your WiFi open.

    With the ability to enter keystrokes one can easily execute a hidden, hacker-friendly shell that runs in the background. Once that happens, your actual wifi keys aren't safe, your usernames/passwords aren't safe, your webcam and mic aren't safe, the keystrokes you enter aren't safe. Your whole organization can be destroyed from the inside with just one unpatched logi dongle.

    Or an unpatched printer, but that's unrelated to Logitech.

    Even better, the malcontents aren't necessarily limited to the same range you get with your keyboard/mouse because there's a software-defined radio with an external antenna that you can buy - I think it's called CrazyRadio - that works just as well as a modified logitech dongle to inject keystrokes wirelessly, with probably an additional 10m of range.

    Even if you have to hire more techies to code new firmware for ALL of your wireless devices, you need to do it, or you're going to lose a ton of corporate sales.

    1
    Comment actions Permalink
  • Mark Wilson

    Hi Jeff,

    I've reiterated your issue to Logi helpdesk staff over and over again. I've finally managed to have them repeat the issues back to me as they write the ticket - including the non-Unifying issue - so the issue has finally been recorded correctly, at least. I spoke to Dale in level 3 support, who actually understood the problem when described to him, and seemed as concerned as I was.

    That was about a week ago, and I've had no update on it. They should be freaking out, to be honest.

    In the meantime I've removed my Logi wireless devices, unifying or otherwise, until they clarify the scope of the issue and provide a full fix for all reported vulnerabilities. After this long with such little communication I feel there's not much choice.

    2
    Comment actions Permalink

Please sign in to leave a comment.