Sustainability Navigation

Logitech Unifying Receiver Update

Pinned

Comments

111 comments

  • Official comment
    Ana M

    Hello Everyone,

    A firmware update for the Unifying technology USB receiver was released on the 28th August, 2019. This addresses the reported 'Encryption Key Extraction Through USB' vulnerability (known as CVE-2019-13054/55). 

     

    Comment actions Permalink
  • Mark Wilson

    You've taken a deliberate decision to favour legacy devices and retain the vulnerabilities across the entire Unifying system, rather than ensuring the security of current and future devices.

    I have zero empathy for you ACTIVELY-MAINTAINING a risk because your new hardware might be safe at the cost of legacy hardware being incompatible.

    Let's promulgate the security risk instead. That makes much more sense, and shows how valuable your customer's security is to you.

    Given these issues, who do I seek regarding a refund for now-deliberately-vulnerable hardware? And have you considered the implications of continuing to sell these vulnerable devices in countries where consumer law puts the onus on you for the faults you create - and particularly the faults you refuse to repair.

     

    This is completely unethical.

    8
    Comment actions Permalink
  • Mark Wilson

    A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer. 

    Regarding the three justifications for deliberately and knowingly leaving this vulnerability in place:

    Expertise: It takes one person to do it. It's been done. Once it's been done by one person it can be done again. Now, this person has given you the opportunity to repair this flaw before someone less ethical is able to exploit it. You've chosen to ignore this opportunity in the majority of these proven exploits - now it's likely just a matter of time before someone less empathetic and ethical achieves the same, thanks to your deliberate and wilful ignorance of the first person's good work.

    Special equipment: 2.4GHz sniffers are not expensive. Here's a documented 2.4GHz hardware-level sniffer project for less than $30 that works over all protocols on that spectrum: http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html and that's just in the first few google results

    10m range (Given no signal boosting on the transceiver?): Even a 10m range is significant range of vulnerability. Consider someone in an apartment building - how many strangers live within 10m? Someone with their computer in the front-most room of their house would be within 10m of attackers in a car on the street. The probability of range and nefarious actors coinciding may be low in a residential environment, but that doesn't entirely preclude the extreme vulnerability that you're choosing to ignore.

    Physical access: Physical access restriction should always be maintained for many computing tasks, of course, but many of these vectors don't require physical access at the time of attack, merely a nearby presence at the time of pairing. For physical access restriction and person vicinity to now be a factor that should be considered as a result of these vulnerabilities is a weak workaround and frankly a non-attempt at resolution.

    I'd also add that physical access isn't as cut-and-dry as protecting your dongle or devices physically-connected to your PC. If a malicious colleague or co-resident simply re-pairs your keyboard or mouse in your absence to their receiver, they need only wait and continue sniffing in order to have a guaranteed vector of attack without continuing physical access.

    If you could somehow elaborate on how "this would negatively impact interoperability with other Unifying devices", as you put it, perhaps I could have some sort of empathy for your decision to leave a publicly-documented attack vector go unpatched.

    As a user and purchaser of your Unifying technology at home and work I am eagerly awaiting your response, as it will have an effect on our choice of hardware moving forward.

    7
    Comment actions Permalink
  • John Angelo Carandang

    Wheres the updated link for mac?

    7
    Comment actions Permalink
  • Aaron Rosenfeld

    How about:

    • Creating a patch for the two vulnerabilities that would drop support for legacy devices
    • On patch installation OR on new device installation after patch installation:
    • The installer checks the list of currently installed devices
    • If any of the installed devices are legacy, the installer informs the user of the security/compatibility tradeoff, and lets them choose whether or not to install/rollback the patch
    • If the consumer chooses to eschew the patch in favor of compatibility, link them to a how-to to address the vulnerability at the OS level.

    There. I just pseudocoded a solution.

    I'm pretty sure you guys can implement something like this, instead of expecting your average consumer to make OS settings changes to address your vulnerability.

    6
    Comment actions Permalink
  • Alexander7052

    Where can i find the most current firmware for the receiver? ...the one that procedes the one coming out in august?

    5
    Comment actions Permalink
  • redlogic

    How can I update my unifying receivers for the Mac?

    5
    Comment actions Permalink
  • Iain S

    After updating the firmware on my Unifying receiver, my T400 touch mouse has lost middle click functionality. Attempting to reconfigure it via SetPoint doesn't have any effect.

    If I swap out the updated Unifying receiver for an unpatched one, then re-pair my mouse and keyboard, middle mouse functionaity is restored.

    5
    Comment actions Permalink
  • Tuấn Ngô

    My unifying receiver completely broke after the update, now i cannot connect the mouse to the receive. My mouse is M585 and it's fine (i tried to connect it to a new receiver, it worked perfectly).

    Is there anyway to downgrade this firmware? I don't want to buy a new receiver.

    5
    Comment actions Permalink
  • tweetiepooh

    Please ensure there is a method to apply for Linux.  Thanks.

    4
    Comment actions Permalink
  • Toomas Mölder

    We're in end of August (Aug 27th). Any ETA for the new firmware?

    4
    Comment actions Permalink
  • Jeff Jackson

    I have a NON-unifying receiver, C-U0010. It appears vulnerable to the MouseJack attack. Was able to write a short 'duckyscript' to tell it to type 'Hi' and it worked just fine.

    I see these updates for Unifying receivers but nothing at all for non-unifying ones. And this receiver was bought this year from the local Target, with an M-R0061.

    Are you intending to leave anyone who chose a mouse with a design on it open to this vulnerability?

    3
    Comment actions Permalink
  • Mark Wilson

    Hi Jeff,

    I've reiterated your issue to Logi helpdesk staff over and over again. I've finally managed to have them repeat the issues back to me as they write the ticket - including the non-Unifying issue - so the issue has finally been recorded correctly, at least. I spoke to Dale in level 3 support, who actually understood the problem when described to him, and seemed as concerned as I was.

    That was about a week ago, and I've had no update on it. They should be freaking out, to be honest.

    In the meantime I've removed my Logi wireless devices, unifying or otherwise, until they clarify the scope of the issue and provide a full fix for all reported vulnerabilities. After this long with such little communication I feel there's not much choice.

    3
    Comment actions Permalink
  • Noah Graubart

    Ever since updating the firmware on my receiver, my mouse and keyboard no longer pair.  I have treid them with a friend's receiver, and they work fine.  Please help me downgrade my firmware to the previous version.

    3
    Comment actions Permalink
  • Alexander4884

    Why is the update not made available through the Unifying software?

    3
    Comment actions Permalink
  • Janne Kujanpää

    Why two last sentences of the article tells that new firmware is not yet available? IMO it should be first sentence of the article!

    2
    Comment actions Permalink
  • David Pinto

    Hi, I have the CRAFT keyboard ... where can I find the update for mac ?

    2
    Comment actions Permalink
  • Mark Wilson

    @Jeff

    Thanks for the testing. That's bloody scary.

     

    @logitech what the hell?

    2
    Comment actions Permalink
  • Linux User

    1. So far no mention of support for Linux users. 

     

    2. How about letting the customer choose whether backwards compatibility is something they need rather than leaving everything vulnerable? I'd rather do the security tradeoff decision myself and choose whether to apply an update rather than have you do it for me.

    2
    Comment actions Permalink
  • JS

    It is very disappointing to read that only one of the three vulnerabilities will be patched. It was bad enough to have to manually update firmware on hundreds of keyboards to remediate the MouseJack vulnerability, now we will need to scrap them all and likely drop Logitech as a supported vendor.

    2
    Comment actions Permalink
  • Mark Wilson

    Called Logitech support (1800 02 55 44 in Australia) to discuss the matter. They're aware of the general issue. They're seemingly-unconcerned. They certainly aren't aware of the queries we have been posting in this topic. They most definitely weren't aware of Jeff's replication with non-Unifying hardware.

    Have received an email from Art, VP Head of Mainstream Creativity & Productivity, but so far that's just been lip service and reported understanding of our concern. Given his role in the org I was happily-surprised to receive an email from him, but not surprised he hasn't had the time to respond. It's been five days now. I'm assuming his schedule's a bit booked, but I would have appreciated the issue being delegated to someone who was able to discuss the issue or read our updated collective concerns.

    Have called support again today and been told they can't assist because they're just a helpline, and I'm having a hell of a time transferring through to any department other than L1 support, whereas last time they transferred me to a relevant department immediately - that's the luck of the draw on call centre staff, I guess.

    They want to a ticket and treat it as a support issue; I want to discuss my concerns with someone who actually understands them and is in a position to direct them somewhere immediately-useful. The severity of this issue is increasing while the level of communication from Logitech does the opposite.

    Still on the phone with them. I recommend you get the number for your country and directly-relay your concerns to the operator who picks up. Be nice (L1 helpdesk is not a fun job when it's not a L1 issue), but be direct in your demands for a resolution.

    Considering the expense of replacing all wireless Logitech hardware, I've got hours to go yet before the time on the phone costs more than replacing the hardware.. plus with the time on hold, I still get plenty of work done. :)

    2
    Comment actions Permalink
  • Robert Archell

    Thanks for posting Nils. How old is your Unifying Receiver? The reason I ask is because my UR from 2015 did update to 024.010.00036. However, The new UR that came with my new M700 device (which is supposed to have been released in 2018) did not update to 024.010.00036. The Firmware Update kept it at 012.011.00032.

    2
    Comment actions Permalink
  • Gratefully Medicated

    @RobertArchell

    Same experience with one of my newish UR's.

    New UR (2018) did not update to the new firmware. After two successful updates, FW remains at 012.011.00032.

    I have another 5 older UR's that I need to find and try to update. Will report back when I find them.

    2
    Comment actions Permalink
  • Alexander4884

    For the second time! Why is the update not made available through the Unifying software? Why not make this update available to all of your customers? Would you care to reply please!

    2
    Comment actions Permalink
  • Gratefully Medicated

    Bump for an official response from Logitech

    2
    Comment actions Permalink
  • logi_tim

    Thanks for giving us the Enterprise software to update our receivers! It makes it super easy!

    One more request, please give us a silent Logitech Options installer!

    2
    Comment actions Permalink
  • AceHunt

    IMPORTANT!

    Lightspeed Gaming Product dongles can be updated with the linked updater to patch the vulnerability, but be aware that you need to RE-PAIR your device afterwards, or the assignements stop working! You'll be able to move the cursor and click, but no assignments / macros will work. If you're still using LGS, it will not find your mouse and / or crash. (GHub isn't doing better, either.)

    You can fix this by using the Logitech Connection Utility to re-pair your device to the dongle!

    This should have been part of the article to begin with, it's kind of important to know...

    2
    Comment actions Permalink
  • Alexander4884

    Logitech keeps advertising Unifying products as compatible with "macOS 10.xx or higher", but has not updated the Unifying Software in over a year. This is fraud. Logitech stays silent on the matter. This is a bad attitude. In my mind, "Logitech" is a tarnished brand and I will not benefit this company with my money again.

    2
    Comment actions Permalink
  • Stuart Marinus

    I have no access to this pager??? can someone post an updated link please??

    For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273

    2
    Comment actions Permalink
  • Logi Moderator

    Hi Alexander7052,

    Two of the vulnerabilities (known as CVE-2019-13053 and CVE-2019-13052) would be difficult for an attacker to exploit and can be effectively protected against by applying the computing privacy guidelines above. We won’t address these with a firmware update as this would negatively impact interoperability with other Unifying devices.  However, we take security very seriously and we recommend our customers update their wireless Unifying USB receivers to our current latest firmware. 

    We are actively working on a further firmware update that will address the third vulnerability (known as CVE-2019-13054/55). We expect this to be available for all applicable devices in August, 2019. We will update this page with more information at that time.

     

    Warm Regards,

    Logi_Elie

    1
    Comment actions Permalink

Please sign in to leave a comment.