Logitech Unifying Receiver Update
Pinned
- For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/Script%20DFU%20Tool.zip (Mac support will be added shortly)
______________________________________________________________
Earlier this year a security researcher approached Logitech regarding three potential vulnerabilities related to Logitech’s Unifying Receiver. We have been in communication with him since to assess the risks associated with these findings and ways of addressing them.
We’d like to first reassure you that this research was conducted in a controlled environment. The vulnerabilities would require special equipment and skills, as well as proximity to - or even physical access to - the target’s computer or device.
People who are concerned about their privacy should take note of and apply the computing security measures described in the Q&A below.
We are actively working on a firmware update that will address one of the vulnerabilities and expect it to be available for download in August, 2019. We will update this post as soon as it becomes available for download!
We take our customers’ privacy very seriously, and these findings help us to continually improve our products.
Q: What are the vulnerabilities reported by the security researcher?
A: Three potential vulnerabilities were reported. Two of them relate to extracting the encryption key that secures the communication between the Logitech device and the Logitech Unifying USB receiver. The third one relates to overcoming the barriers to keystroke injection between the device and the USB receiver.
A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer.
Q: How should I protect my privacy when using my Logitech products?
A: You can protect your privacy by applying some basic principles as you use your computer and your Logitech products.
First and foremost, follow the common-sense security measures that are found in a typical office or home and don’t ever let strangers physically access or tamper with your computer or input devices.
Secondly, all our Unifying devices are securely paired to a wireless receiver when they are produced and pairing is not required thereafter. However, the ability to pair a second, third or fourth device to a single USB receiver is one of the advantages of our Unifying wireless technology so we enable it through a simple piece of software. If you have to pair a device to a Unifying receiver, this procedure could allow a hacker - with the right equipment and skills, and physically close to your computer - to “sniff” the encryption key. So this brief procedure should only be done when absolutely certain that there is no suspicious activity within 10m/30ft.
Note, if your device stops working, this is never because of a loss of pairing to the USB receiver so re-pairing is not required to troubleshoot.
Q: Which Logitech products are concerned by these reports?
A: Mice and keyboards using Logitech’s Unifying wireless protocol. You can identify Unifying products by a small orange logo on the wireless USB receiver, featuring a shape with six points. The Spotlight presentation remote and R500 presenter, are also impacted.
In addition, Logitech’s Lightspeed gaming products are concerned by the encryption key extraction vulnerabilities.
Q: Can I install a firmware upgrade to protect me against this? How?
A: Two of the vulnerabilities (known as CVE-2019-13053 and CVE-2019-13052) would be difficult for an attacker to exploit and can be effectively protected against by applying the computing privacy guidelines above. We won’t address these with a firmware update as this would negatively impact interoperability with other Unifying devices.
However, we take security very seriously and we recommend our customers update their wireless Unifying USB receivers to the latest firmware. We are actively working on a firmware update that will address the third vulnerability (known as CVE-2019-13054/55). We expect this to be available for all applicable devices in August, 2019 and we will update this page with more information at that time.
- For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/Script%20DFU%20Tool.zip (Mac support will be added shortly)
- Linux users: Our latest firmware has been submitted to the Linux Vendor Firmware Service and will be available at https://fwupd.org/.
-
Official comment
Hello Everyone,
A firmware update for the Unifying technology USB receiver was released on the 28th August, 2019. This addresses the reported 'Encryption Key Extraction Through USB' vulnerability (known as CVE-2019-13054/55).- For PC or Mac users: You can download a simple updating tool for PC here: https://support.logi.com/hc/en-us/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://content.logitech.com/link/YZD0g5FBJlU0zaJf6vQQ2E (Mac support will be added shortly)
Comment actions -
A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer.
Regarding the three justifications for deliberately and knowingly leaving this vulnerability in place:
Expertise: It takes one person to do it. It's been done. Once it's been done by one person it can be done again. Now, this person has given you the opportunity to repair this flaw before someone less ethical is able to exploit it. You've chosen to ignore this opportunity in the majority of these proven exploits - now it's likely just a matter of time before someone less empathetic and ethical achieves the same, thanks to your deliberate and wilful ignorance of the first person's good work.
Special equipment: 2.4GHz sniffers are not expensive. Here's a documented 2.4GHz hardware-level sniffer project for less than $30 that works over all protocols on that spectrum: http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html and that's just in the first few google results
10m range (Given no signal boosting on the transceiver?): Even a 10m range is significant range of vulnerability. Consider someone in an apartment building - how many strangers live within 10m? Someone with their computer in the front-most room of their house would be within 10m of attackers in a car on the street. The probability of range and nefarious actors coinciding may be low in a residential environment, but that doesn't entirely preclude the extreme vulnerability that you're choosing to ignore.
Physical access: Physical access restriction should always be maintained for many computing tasks, of course, but many of these vectors don't require physical access at the time of attack, merely a nearby presence at the time of pairing. For physical access restriction and person vicinity to now be a factor that should be considered as a result of these vulnerabilities is a weak workaround and frankly a non-attempt at resolution.
I'd also add that physical access isn't as cut-and-dry as protecting your dongle or devices physically-connected to your PC. If a malicious colleague or co-resident simply re-pairs your keyboard or mouse in your absence to their receiver, they need only wait and continue sniffing in order to have a guaranteed vector of attack without continuing physical access.
If you could somehow elaborate on how "this would negatively impact interoperability with other Unifying devices", as you put it, perhaps I could have some sort of empathy for your decision to leave a publicly-documented attack vector go unpatched.
As a user and purchaser of your Unifying technology at home and work I am eagerly awaiting your response, as it will have an effect on our choice of hardware moving forward.
-
You've taken a deliberate decision to favour legacy devices and retain the vulnerabilities across the entire Unifying system, rather than ensuring the security of current and future devices.
I have zero empathy for you ACTIVELY-MAINTAINING a risk because your new hardware might be safe at the cost of legacy hardware being incompatible.
Let's promulgate the security risk instead. That makes much more sense, and shows how valuable your customer's security is to you.
Given these issues, who do I seek regarding a refund for now-deliberately-vulnerable hardware? And have you considered the implications of continuing to sell these vulnerable devices in countries where consumer law puts the onus on you for the faults you create - and particularly the faults you refuse to repair.
This is completely unethical.
-
How about:
- Creating a patch for the two vulnerabilities that would drop support for legacy devices
- On patch installation OR on new device installation after patch installation:
- The installer checks the list of currently installed devices
- If any of the installed devices are legacy, the installer informs the user of the security/compatibility tradeoff, and lets them choose whether or not to install/rollback the patch
- If the consumer chooses to eschew the patch in favor of compatibility, link them to a how-to to address the vulnerability at the OS level.
There. I just pseudocoded a solution.
I'm pretty sure you guys can implement something like this, instead of expecting your average consumer to make OS settings changes to address your vulnerability.
-
After updating the firmware on my Unifying receiver, my T400 touch mouse has lost middle click functionality. Attempting to reconfigure it via SetPoint doesn't have any effect.
If I swap out the updated Unifying receiver for an unpatched one, then re-pair my mouse and keyboard, middle mouse functionaity is restored.
-
Is there a way to disable possibility of re-pairing devices to dongle completely (permanently)- leaving the possibility to connect only with already paired devices? According to vulnerability finder "attacker with physical access to device and receiver could manually initiate re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key." (https://github.com/mame82/misc/blob/master/logitech_vuln_summary.md#4-passively-obtain-logitech-unifying-link-encryption-keys-by-capture-of-pairing-rf-only-no-patch-from-vendor). As far as I understand functionality from my question would protect from such vector of attack.
-
I have a NON-unifying receiver, C-U0010. It appears vulnerable to the MouseJack attack. Was able to write a short 'duckyscript' to tell it to type 'Hi' and it worked just fine.
I see these updates for Unifying receivers but nothing at all for non-unifying ones. And this receiver was bought this year from the local Target, with an M-R0061.
Are you intending to leave anyone who chose a mouse with a design on it open to this vulnerability?
-
Hi Jeff,
I've reiterated your issue to Logi helpdesk staff over and over again. I've finally managed to have them repeat the issues back to me as they write the ticket - including the non-Unifying issue - so the issue has finally been recorded correctly, at least. I spoke to Dale in level 3 support, who actually understood the problem when described to him, and seemed as concerned as I was.
That was about a week ago, and I've had no update on it. They should be freaking out, to be honest.
In the meantime I've removed my Logi wireless devices, unifying or otherwise, until they clarify the scope of the issue and provide a full fix for all reported vulnerabilities. After this long with such little communication I feel there's not much choice.
-
The Logitech support page has an invalid HTTP certificate. The error I get back is:
DLG_FLAGS_SEC_CERT_CN_INVALID. "The hostname in the website's security certificate differs from the webite you are trying to visit.
From a security perspective, this is very bad. It means most people will never get to the support page (because the browser warns them to stay away), and that the support page isn't secure. Definitely something to fix asap.
-
1. So far no mention of support for Linux users.
2. How about letting the customer choose whether backwards compatibility is something they need rather than leaving everything vulnerable? I'd rather do the security tradeoff decision myself and choose whether to apply an update rather than have you do it for me.
-
It is very disappointing to read that only one of the three vulnerabilities will be patched. It was bad enough to have to manually update firmware on hundreds of keyboards to remediate the MouseJack vulnerability, now we will need to scrap them all and likely drop Logitech as a supported vendor.
-
Called Logitech support (1800 02 55 44 in Australia) to discuss the matter. They're aware of the general issue. They're seemingly-unconcerned. They certainly aren't aware of the queries we have been posting in this topic. They most definitely weren't aware of Jeff's replication with non-Unifying hardware.
Have received an email from Art, VP Head of Mainstream Creativity & Productivity, but so far that's just been lip service and reported understanding of our concern. Given his role in the org I was happily-surprised to receive an email from him, but not surprised he hasn't had the time to respond. It's been five days now. I'm assuming his schedule's a bit booked, but I would have appreciated the issue being delegated to someone who was able to discuss the issue or read our updated collective concerns.
Have called support again today and been told they can't assist because they're just a helpline, and I'm having a hell of a time transferring through to any department other than L1 support, whereas last time they transferred me to a relevant department immediately - that's the luck of the draw on call centre staff, I guess.
They want to a ticket and treat it as a support issue; I want to discuss my concerns with someone who actually understands them and is in a position to direct them somewhere immediately-useful. The severity of this issue is increasing while the level of communication from Logitech does the opposite.
Still on the phone with them. I recommend you get the number for your country and directly-relay your concerns to the operator who picks up. Be nice (L1 helpdesk is not a fun job when it's not a L1 issue), but be direct in your demands for a resolution.
Considering the expense of replacing all wireless Logitech hardware, I've got hours to go yet before the time on the phone costs more than replacing the hardware.. plus with the time on hold, I still get plenty of work done. :)
-
Thanks for posting Nils. How old is your Unifying Receiver? The reason I ask is because my UR from 2015 did update to 024.010.00036. However, The new UR that came with my new M700 device (which is supposed to have been released in 2018) did not update to 024.010.00036. The Firmware Update kept it at 012.011.00032.
-
IMPORTANT!
Lightspeed Gaming Product dongles can be updated with the linked updater to patch the vulnerability, but be aware that you need to RE-PAIR your device afterwards, or the assignements stop working! You'll be able to move the cursor and click, but no assignments / macros will work. If you're still using LGS, it will not find your mouse and / or crash. (GHub isn't doing better, either.)
You can fix this by using the Logitech Connection Utility to re-pair your device to the dongle!
This should have been part of the article to begin with, it's kind of important to know...
-
Logitech keeps advertising Unifying products as compatible with "macOS 10.xx or higher", but has not updated the Unifying Software in over a year. This is fraud. Logitech stays silent on the matter. This is a bad attitude. In my mind, "Logitech" is a tarnished brand and I will not benefit this company with my money again.
Please sign in to leave a comment.
Comments
132 comments