Logitech Unifying Receiver Update
Pinned- For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/Script%20DFU%20Tool.zip (Mac support will be added shortly)
______________________________________________________________
Earlier this year a security researcher approached Logitech regarding three potential vulnerabilities related to Logitech’s Unifying Receiver. We have been in communication with him since to assess the risks associated with these findings and ways of addressing them.
We’d like to first reassure you that this research was conducted in a controlled environment. The vulnerabilities would require special equipment and skills, as well as proximity to - or even physical access to - the target’s computer or device.
People who are concerned about their privacy should take note of and apply the computing security measures described in the Q&A below.
We are actively working on a firmware update that will address one of the vulnerabilities and expect it to be available for download in August, 2019. We will update this post as soon as it becomes available for download!
We take our customers’ privacy very seriously, and these findings help us to continually improve our products.
Q: What are the vulnerabilities reported by the security researcher?
A: Three potential vulnerabilities were reported. Two of them relate to extracting the encryption key that secures the communication between the Logitech device and the Logitech Unifying USB receiver. The third one relates to overcoming the barriers to keystroke injection between the device and the USB receiver.
A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer.
Q: How should I protect my privacy when using my Logitech products?
A: You can protect your privacy by applying some basic principles as you use your computer and your Logitech products.
First and foremost, follow the common-sense security measures that are found in a typical office or home and don’t ever let strangers physically access or tamper with your computer or input devices.
Secondly, all our Unifying devices are securely paired to a wireless receiver when they are produced and pairing is not required thereafter. However, the ability to pair a second, third or fourth device to a single USB receiver is one of the advantages of our Unifying wireless technology so we enable it through a simple piece of software. If you have to pair a device to a Unifying receiver, this procedure could allow a hacker - with the right equipment and skills, and physically close to your computer - to “sniff” the encryption key. So this brief procedure should only be done when absolutely certain that there is no suspicious activity within 10m/30ft.
Note, if your device stops working, this is never because of a loss of pairing to the USB receiver so re-pairing is not required to troubleshoot.
Q: Which Logitech products are concerned by these reports?
A: Mice and keyboards using Logitech’s Unifying wireless protocol. You can identify Unifying products by a small orange logo on the wireless USB receiver, featuring a shape with six points. The Spotlight presentation remote and R500 presenter, are also impacted.
In addition, Logitech’s Lightspeed gaming products are concerned by the encryption key extraction vulnerabilities.
Q: Can I install a firmware upgrade to protect me against this? How?
A: Two of the vulnerabilities (known as CVE-2019-13053 and CVE-2019-13052) would be difficult for an attacker to exploit and can be effectively protected against by applying the computing privacy guidelines above. We won’t address these with a firmware update as this would negatively impact interoperability with other Unifying devices.
However, we take security very seriously and we recommend our customers update their wireless Unifying USB receivers to the latest firmware. We are actively working on a firmware update that will address the third vulnerability (known as CVE-2019-13054/55). We expect this to be available for all applicable devices in August, 2019 and we will update this page with more information at that time.
- For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/Script%20DFU%20Tool.zip (Mac support will be added shortly)
- Linux users: Our latest firmware has been submitted to the Linux Vendor Firmware Service and will be available at https://fwupd.org/.
-
After running the Firmware Update Tool my K400 Plus is now at firmware version 063.002.00016, according to Logitech Options. Is this the firmware with the security fixes?
I'm asking because the article says the update was released 28th August, yet the update tool has last updated day of 20th August and it didn't appear to be making an internet connection when run.
-
@Ian Kim , I can't tell for sure, but it's possible that it works with the Unifying Receiver. According to questions at Amazon (link follows sentence), it does. It sounds like it didn't necessarily come with a Unifying Receiver but it's supposedly "Unifying Receiver ready". You'll have to use Logitech's pairing program to pair the mouse to the receiver when you get one. https://www.amazon.com/Logitech-Wireless-Mouse-M320-Black/dp/B00O23IQ66
-
Yes. They've simply become too big. While their hardware is some of the best in quality and design, everything else following that, especially noticeable in support and services for anyone smaller than other behemoths like Microsoft, is absolutely fracking abysmal.
Their website won't let me file a ticket, even. On day 2, I went with it, just to see how ridiculous it could get, and after 4 hours (!) I finally managed to file something, which was an empty ticket. It only worked because of the funny little "chat" bot popping up in the bottom right corner when you wait long enough on a support website, which itself just does not work at all. By design, or massive incompetence, none of which looks good on them. Replying to that confirmation mail was required to fill in what the ticket was actually about. Sometimes, I'm just flat out unable to log in, the process just halts before loading the actual log in form.
By the end of the 4 hours I had finally found comments of the community itself, pointing me towards tools and solutions I've never ever heard about from the official support before, despite having massive problems for years. They rather threw 2 replacement products 180 bucks each at me, than tell me how to solve my problem.
By the end of that 4h run of trying to file a ticket, my intended bug report had been indirectly resolved by the community and I instead filed a ticket with the solution to be added to the above article, and had confirmation in mails they'd do that. Nothing happened, and I made my comment above in hopes someone might find it. The article's still not updated with the information that fixes a "quasi-bricked" Logitech product after updating it following the instructions and links in this article.
Love the hardware. But if it doesn't work, and you're left alone with your issues, the time you spend trying to get their shit to work as intended becomes a price that's just not worth to pay.
-
Hello, I recently updated my MX ANYWHERE 2S mouse to this August Frimware version NO. 13.0000.13 or something close, but since this update, my mouse is not as accurate as before, a lot of frame skipping especially when operate in a glass surface. then I went to Logi service center in local, they replaced my former mouse to a new one, but updated the firmware to the latest.....I asked them not to do this because I'm afraid that the problem caused by this latest update, but they insisted to do it, and just as I worried, shit happened, it is not precisely moving and frame skipping like my old mouse, my old mouse had been purchased not long ago, the production date was 18weeks of 2019, so I'm afraid if logitech can provide me a firmware that rolls back to the previous version or can you check and revise?Thanks
-
@QingquanKuang
This may be unrelated, but my Anywhere MX (original, not the 2S) started freezing occasionally after updating the firmware on its Unifying receiver. These problems went away if I connected the Unifying receiver to my PC via the hub in my monitor, rather than the ports in the computer. I'm not sure why.
-
Y'all try out what I wrote above in the comment starting with "IMPORTANT", using the Connection Utility, it solved my problems with my updated G900. Let us know if that helps your cases.
-
@AceHunt I followed your instruction on re pair the mouse, it seemed fine already, but I'm not sure if it already 100% recovered, but just feels better than before, thank you @Iain7107 suggest you trying it, mine works smoother than before, better than do nothing at all.
-
My K545 keyboard frequently just stops working, meaning while I'm typing, it's not putting any letters on the screen! I read somewhere if you install the old Setpoint software it may resolve this issue. I'm wondering if I need to uninstall any other software prior to installing Setpoint. My mouse is MK Master2S. Thanks for your help! Debbie
-
Can someone please answer this persons question?
Non unifying dongle
Model: C-U0010
Firmware: 029.001.00016How do we update the firmware?
Jeff Jackson -8 months ago
I have a NON-unifying receiver, C-U0010. It appears vulnerable to the MouseJack attack. Was able to write a short 'duckyscript' to tell it to type 'Hi' and it worked just fine.
I see these updates for Unifying receivers but nothing at all for non-unifying ones. And this receiver was bought this year from the local Target, with an M-R0061.Are you intending to leave anyone who chose a mouse with a design on it open to this vulnerability?
-
I have two Logitech T400 mouse. After updating the USB receiver, the middle front click (of Touch Zone) does not work to open the link in a new tab. My most used function is now disabled.
The same issue was written 1 year ago.
How do you support your products? Why hasn't the problem been solved for 1 year?
Please sign in to leave a comment.
Comments
125 comments