Sustainability Navigation

Logitech Unifying Receiver Update

Pinned

Comments

113 comments

  • Mateusz Niepodam

    Is there a way to disable possibility of re-pairing devices to dongle completely (permanently)- leaving the possibility to connect only with already paired devices? According to vulnerability finder "attacker with physical access to device and receiver could manually initiate re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key." (https://github.com/mame82/misc/blob/master/logitech_vuln_summary.md#4-passively-obtain-logitech-unifying-link-encryption-keys-by-capture-of-pairing-rf-only-no-patch-from-vendor). As far as I understand functionality from my question would protect from such vector of attack.

    1
    Comment actions Permalink
  • ksavage

    The Logitech support page has an invalid HTTP certificate.   The error I get back is:

    DLG_FLAGS_SEC_CERT_CN_INVALID.  "The hostname in the website's security certificate differs from the webite you are trying to visit.   

    From a security perspective, this is very bad.  It means most people will never get to the support page (because the browser warns them to stay away), and that the support page isn't secure.   Definitely something to fix asap.

    1
    Comment actions Permalink
  • Sim Brar

    We have several such devices deployed in our organization to users with mac devices. Where can the mac firmware upgrade be found?

    1
    Comment actions Permalink
  • Mark Wilson

    https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=logitech 

    No updates to the CVEs regarding Jeff's ability to replicate the issue with a non-Unifying receiver. I'm guessing they haven't tested it, or haven't bothered reading anyone's responses to this post in a while. I've never seen a support department go into hiding before - it's a remarkable and horrifying thing.

    Called vendor enquiring about refunding/replacing the insecure devices - they pointed us at Logitech.

    Why the hiding, support team? Will you reply some time in August when you've patched ONE of the vulnerabilities and ignored the rest? Will you even respond to the helpful suggestions put forward by other people in this post since Logi Moderator posted and then disappeared?

     

    1
    Comment actions Permalink
  • Jeff Jackson

    So, still nothing about the non-unifying wireless devices you produce.

    I had already decided to switch to bluetooth when I found out about the unpatched mousejack in the non-unifying devices.

    So I have one more Logitech product. An M535. My Keyboard's a nintendo bluetooth keyboard that was included with a Pokemon game.

    I'm not buying anymore logi/logitech products if this remains unfixed. (Yes, Bluetooth isn't much better, but it's more of a pain to take advantage of than your 2.4GHz wireless protocol)

     

    Maybe explaining it better will help. For a hacker or any techie malcontent, this is just as bad as leaving your OS unpatched and your WiFi open.

    With the ability to enter keystrokes one can easily execute a hidden, hacker-friendly shell that runs in the background. Once that happens, your actual wifi keys aren't safe, your usernames/passwords aren't safe, your webcam and mic aren't safe, the keystrokes you enter aren't safe. Your whole organization can be destroyed from the inside with just one unpatched logi dongle.

    Or an unpatched printer, but that's unrelated to Logitech.

    Even better, the malcontents aren't necessarily limited to the same range you get with your keyboard/mouse because there's a software-defined radio with an external antenna that you can buy - I think it's called CrazyRadio - that works just as well as a modified logitech dongle to inject keystrokes wirelessly, with probably an additional 10m of range.

    Even if you have to hire more techies to code new firmware for ALL of your wireless devices, you need to do it, or you're going to lose a ton of corporate sales.

    1
    Comment actions Permalink
  • Jeff Jackson

    @lain7107

    You can see a non-exhaustive list of MouseJack-vulnerable devices at https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices

    In addition to what's listed I'd say any of their wireless products purchased prior to .. at least June 2017. Give that some time to get rid of old stock and have new stock on the shelves.

    Or just look at what the updated firmware numbers are, open... was it setpoint or the unifying pairing software, and look at the dongle's current fw number. And if it's not one of those it's vulnerable.

    I just bought my vulnerable non-unifying mouse in January of this year. So, I think all non-unifying receivers are probably vulnerable.

    My SO bought a k400 within the past month - also from the local Target - And the receiver came with the patch. So there's that at least.

    @Mark: I'm glad they finally know about the issue, for sure. I've just kinda been thinking they've been pointedly ignoring non-unifying because it'd be even more difficult to push updates for all of those too. Or maybe they can't be updated because they're afraid one would be able to flash a non-unifying dongle with a unifying firmware or something.

    They definitely should be freaking out since this is a huge vulnerability and I'm sure hundreds of thousands of vulnerable devices are already out in the wild. The only reason they're still getting sales is because major news networks haven't made segments about it, so the people in-the-know are limited.

    1
    Comment actions Permalink
  • Janne Kujanpää

    Looks like unifying software got update and there is now update firmware button. SADLY:

    1. Newest version crash on OS X
    2. Windows version failed to update dongle firmware from 012.001.00019 to 012.008.00030. No error messages it seems to fail do its job properly.

    Not worth of updating because of those two and because there is not fixed firmware available for the newest vulnerability.

    1
    Comment actions Permalink
  • Yves Hanselmann

    Hey everyone

    I have an other Problem which would be a great risk.

    We cant silent install the newer Versions of the Logitech Options Software.

    The older ones we could silent install but at some Point they scrapt this feature.

    How do you guys make sure that the software is up to date?

    We have 150 PC with the Software on in and manual update is not an Option.

    Thanks for the reply.

    1
    Comment actions Permalink
  • Yves Hanselmann

    Hello Kirill

    Thanks for the reply. 

    Can you explain me what you do with the logon script?

    The Install file has no Silent key (/S /Silent /qn, ,...) and i don't know how to make it silent.

    (Support didn't answer me 5 Times and on the last Ticket about this they reply after 3 Weeks with the Message "It doesnt work" )

    Thank you very much 

    really appreciate it

    1
    Comment actions Permalink
  • logi_tim

    I'm also very interested in the ETA for the new firmware.

    Why is there no enterprise updated for Logitech Options software? That requires interactive admin install? Who let's their users be admins these days?

    1
    Comment actions Permalink
  • Robert Archell

    I have the MK700 keyboard and M705 mouse (circa 2015). On 2019.08.29 I downloaded the firmware update tool (v1.2.169_x64) and ran the update without any issues. The firmware for the Unifying Receiver showed as being v024.010.00036.

    On 2019.08.30 I replaced a problematic M705 mouse (not caused by the above) with a new M705 mouse that came with a new Unifying Receiver. I went through the process of unpairing the old devices from the old UR, installed the new UR and paired the old MK700 and new M705 devices to the new UR. All went well.

    I noticed that the firmware for the new UR was v012.011.00032 so I ran the the firmware update tool once again. After the process completed successfully, the firmware version for the UR is still showing as v012.011.00032.

    This question becomes, should I be concerned that the firmware tool did not update the new UR?

    1
    Comment actions Permalink
  • Nils

    @Robert Archell

    I got mine early 2017.

    Through a German site I found a link to Logitech firmware repository on GitHub.

    https://github.com/Logitech/fw_updates/tree/update2019-08-27

    It should confirm our Unifying Receivers, both of 012 and 024 firmware type, are at the latest version (browse through RQR12->RQR12.11).

    Why there are two different types appears be by the chip used, RQR12 for Nordic Semiconductor, RQR24 for Texas Instruments, but please don't quote me on that.

    1
    Comment actions Permalink
  • Logi Moderator

    Hi Ian Kim,

    If your mouse has a Unifying Logo at the bottom, you can pair it with the Unifying receiver. You can check this link for the receiver: Unifying Receiver

     

    Please let me know if you need further assistance.

     

    Warm regards, 

    Logi_Elie

    1
    Comment actions Permalink
  • Heather Cook

    I'm trying to update the firmware on mac but when I download the updating "tool" I get a folder called "Mac_Script_DFU_Tool" with instructions for IT Managers/Administrators. I bought this mouse for personal use. Do you have instructions on how to use this as a layman?

    1
    Comment actions Permalink
  • Jakob Skurdal

    Logitech Unifying Receiver Firmware Update tool for PC: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/SecureDFU_1.0.48.exe

    1
    Comment actions Permalink
  • Daniel Catherall

    I have a rather irritating issue with the Unifying Software that’s built into the Logitech Options application. I use my PC for mainly gaming purposes and so when playing these games I have them in full screen. Every time I’m playing a game with my game controller and my MX Master 2S turned off, without fail after 10-15 minutes of playing the Unifying Software hijacks me out of my game in full screen to show the unifying icon in the task bar and then disappears seconds later when I turn my mouse back on. It’s rather frustrating for me because it happens every time and if I’m heavily engrossed in the game or it’s a competitive match online this ruins the experience for me. Is there any way I can avoid this from reoccurring? I’ve checked the settings of the software and can’t see any options close to what I’m seeing.

    1
    Comment actions Permalink
  • mbalcerak

    Where is the link to the "computing privacy guidelines" mentioned above? 

    0
    Comment actions Permalink
  • Пожилой хардвэйдер

    Hi, Пожилой хадвэйдер.

    We will consider your appeal as soon as possible.

    Expect.

    0
    Comment actions Permalink
  • NATWAR0290

    THANKS

    0
    Comment actions Permalink
  • Iain S

    What's the simplest way to check if your devices are susceptible? Could I use a Crazyradio transceiver to scan all devices attached to my company's computers or is it a manual process? I'd rather bin any affected adapters rather than run the risk of exploits.

    0
    Comment actions Permalink
  • Iain S

    @Jeff Jackson

    We make use of lots of equipment in a number of offices, and currently have a flexible BYOD policy for input devices, so MouseJack is a concern for us. Being able to periodially sweep an entire office as part of a security review will allow us to check for potential issues without needing to pysically inspect each device. 

    While there do appear to be some problems with Logitech's process, at least the Unifying adaptors are patchable. IMO the bigger problem appears to be with non-Unifying devices which cannot be fixed, only binned.

    I guess the only way to be sure would be to try and run the exploit myself.

    0
    Comment actions Permalink
  • Olav R.4346

    We're mid august. Any ETA for the new firmware?

    0
    Comment actions Permalink
  • geomguy

    Hope the Aug update will fix my problem.

    Must Unplug Receiver Every Restart/Sleep

    M570 and M510 ... must unplug/plug-in receiver/dongle every time before they show up in Control Center.

    This means if I don't do that my Configuration settings don't work...

    This is new with my new Mac Mini w/OS 10.14.5 and .6

    Did not do this with my MB Pro (2016) with 10.14.5

    Difference between my Mac's may be the new T2 chip.

     

    0
    Comment actions Permalink
  • Kirill Boronin

    Yves, I've used GPO logon script.

    0
    Comment actions Permalink
  • Kirill Boronin

    Ah, sorry, didn't notice you speak of different subject.

    I talked about updating receiver fw with logon script.

    For software installation we use SCCM. There are other options, of course.

    0
    Comment actions Permalink
  • Iain S

    The latest 012.008.00032 update is no use to me, my T400 is still only partially functional since I originally updated to the 012.008.00030 firmware.

    0
    Comment actions Permalink
  • Jeff Jackson

    Hello, it's me again.

    I was hoping Logi Moderator could clarify Logi's position on non-unifying receivers. As non-unifying products may make more sense to some consumers. They may think "Unifying, what's that? Why doesn't this other one have unifying? Well this other one that doesn't have unifying has a neat design that I like, so I'll get that." Not knowing that buying a non-unifying product will make their computer vulnerable.

    Or they may know what Unifying is, and decide they don't need it because they only need the one peripheral. 

    0
    Comment actions Permalink
  • mazen

    logitech please help me i lost me Logitech Unifying Receiver for g pro i can't use my mouse with out that receiver please help me 

    0
    Comment actions Permalink

Please sign in to leave a comment.