Logitech Response to Research Findings
Answered
In 2016, researchers from Bastille Security found potential vulnerabilities in products from a number of mouse manufacturers, including two potential vulnerabilities with Logitech’s Unifying receiver and two with the G900 gaming mouse. The Unifying receiver allows you to connect multiple compatible keyboards and mice to a laptop or desktop computer with a single USB receiver. The Logitech G900 is a professional grade gaming mouse.
Bastille Security approached us regarding their work, and we were in regular communication with them to discuss their findings. Bastille Security identified the vulnerabilities in a controlled, experimental environment. The vulnerabilities would be complex to replicate and would require a hacker to be physically close to a target. It’s therefore an unlikely path of attack.
To our knowledge, we have never been contacted by any consumer with the issues reported by Bastille. We nonetheless take Bastille Security’s work - and our customers’ security - seriously. We developed firmware updates to address the vulnerabilities.
Customers who want to make sure their firmware is up to date can download the updates below.
For Logitech’s G900 gaming mouse:
http://www.logitech.com/pub/techsupport/gaming/G900Update_1.5.23.exe
For Logitech’s Unifying receiver:
Mac: https://aws13-customer-care-assets.s3.amazonaws.com/Software/SecureDFU/Mac/SecureDFU.zip
PC: https://aws13-customer-care-assets.s3.amazonaws.com/Software/SecureDFU/Win/SecureDFU_48.exe
Note: if you have K780 MULTI-DEVICE WIRELESS KEYBOARD, K375s MULTI-DEVICE KEYBOARD, WIRELESS TOUCH KEYBOARD K400 PLUS, MK850 PERFORMANCE or ILLUMINATED LIVING-ROOM KEYBOARD K830 connected with your Unifying receiver, the tool will guide you to update the firmware on the keyboard as well.
Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any customer with such an issue related to this potential vulnerability.
-
Note: if you have K780 MULTI-DEVICE WIRELESS KEYBOARD, K375s MULTI-DEVICE KEYBOARD, WIRELESS TOUCH KEYBOARD K400 PLUS, MK850 PERFORMANCE or ILLUMINATED LIVING-ROOM KEYBOARD K830 connected with your Unifying receiver, the tool will guide you to update the firmware on the keyboard as well.
Logitech’s Unifying technology was launched in 2007 and has been used by millions of our consumers since. To our knowledge, we have never been contacted by any customer with such an issue related to this potential vulnerability.
-
Thanks to Logitech for developing a fix. But it should have been easier. The regular Unifying software had a Check for Updates button, but never offered this fix. I fancy myself a power user and it still took me about 10 minutes to find this after reading about this vulnerability on a random IT news website.
-
This firmware update is incomplete
I have 9 Unifying Dongles
1 x 012.000.00017 M/N: C-U0003 (Updated to 012.008.00030 fine with SecureDFU_48.exe)
2 x 012.001.00019 M/N: C-U0003 (Wont update with SecureDFU_48.exe)
2 x 012.001.00019 M/N: C-U0007 CE Stamp (Wont update with SecureDFU_48.exe)
2 x 013.000.00026 M/N: C-U0004 (Wont update with SecureDFU_48.exe)
2 x 024.000.00018 M/N: C-U0008 CE Stamp (Updated to 024.006.00030 fine with SecureDFU_48.exe)
the 4 devices on
Version: RQR12.01_B0019
VersionBootloader: BOT01.02_B0014
its an omission on your part i updated them on linux to
Version: RQR12.07_B0029
VersionBootloader: BOT01.02_B0014
then proceeded to update with SecureDFU_48.exe on windows to
Version: RQR12.08_B0030
VersionBootloader: BOT01.02_B0014
With regards to my 2 x 013.000.00026 M/N: C-U0004
you seem to have not released any firmware for them
can we get a firmware for
013.000.00026
-
Hi all!
is this hardware vulnerability still present in the newer models of unifying receivers? (2018 Models M/N:C-U0012)
Did they change the hardware design of these newer receivers to shut the hole, or are they "only" firmware patched (and might therefore still be vulnerable....)?
-
I am supposed to download and run an executable from some random S3 bucket because a link was posted by some person who may or may not be a Logitech employee?! No way am I doing that.
I guess this is the kind of security that I should expect from a company that sells wireless mice that let attackers send arbitrary keystrokes.
Seriously Logitech, put this with the rest of your downloads here https://support.logitech.com/en_us/downloads
Until this is fixed, my beloved M570 is sitting on a shelf and I am not buying any more Logitech products.
-
Hello @Robert Frapples?
This is LogiLaurie, the Community Admin.
I understand your concern and thank you for your feedback.
The potential vulnerability is a difficult and unlikely path of attack. We've never, to our knowledge, been contacted by a customer with an issue related to this. Nonetheless, we take security seriously and are working to investigate this further.
The Amazon S3 bucket is a secure storage service used by Logitech and we will take into consideration your feedback on adding it on the downloads page.
Best regards,
LogiLaurie
Community Admin
-
@Laurie Corona?
I appreciate the confirmation. I must, however, notify you of a corporate fallacy of claiming of not having received complaints. Not only is the problem identification rate very low, but companies also avoid mass communication they can't handle. It probably took an article on a high-impact news server for you to notice. Thousands of individual e-mails would never be taken into account.
@Robert Frapples?
That purist attitude just doesn't work. Maybe if you're only doing new machines with all support media included.
-
@Laurie Corona?
Deploying Logitech software (Options) and these firmware updates in an enterprise environments are terrible! IT administrators have to jump through hoops to identify and update this stuff. Can you push the idea of silent installs to the dev team?
Also, we have to track these vulns and remediate them to comply with audits! Yeah, this may be a super unlikely and hard to implement attack but auditors don't care!
-
"To our knowledge, we have never been contacted by any consumer with the issues reported by Bastille..." --@Laurie Corona?
Hi. I'm a consumer. But I also work in I.T. We got mouse-jacked. Luckily, the pen tester was hired by us. He executed several scripts without ever exposing his Raspberry Pi hidden in a clipboard. The flash on the screen was so brief, all he had to do was hold up his clipboard to distract us for half a second.
This method is used to install back-doors and memory scrapers. They can get admin credentials that are still resident in RAM. Then, they don't need to look for wireless mouses any more. They can RDP and script their way through the rest of the network.
Yes, the memory scrapes are exploiting vulnerabilities from OS that aren't under the control of Logitech. But, the m570 was the virtual keyboard that gave the hacker access to the OS from across the room.
The solution was not to write a letter to Logitech begging for updates. It was budgeting to dispose of the exploitable technology and move to Bluetooth or USB-wired input devices.
This response from Logitech seems very condescending.
-
Hi Logitech:
Why has Logitech made this page so difficult to find?
Just about any links that one finds redirects to the support.logi.com landing page and searching for "Logitech Response to Research Findings" from the support.logi.com landing page does not give any results.
It is the same for the firmware update tool.
Is Logitech serious about fixing this?
-
We have a Windows server running out security system with a K830 keyboard and unifying dongle purchased a few years ago and 2 days ago hackers gained access to the machine, stealing all the saved logins from the browser and using the computer remotely to place online orders. $1600 spent via PayPal on a phone and iTunes gift cards before we cottoned on. We run a tech savvy business and a lot of care is taken when it comes to security and we couldn't work out how this happened, then a friend forwarded a link to an article about this exploit and it all made sense. God knows how much this could (and maybe will) cost our business. Consider this contact from a consumer reporting the issues reported by Batille. We had the Unifying software installed, why wasn't it able to update the firmware on the dongle and/or keyboard? We had to download this separate tool to upgrade both.
-
@James5394 Unplug the receiver and bring it to a Windows computer along with a flash drive with the patch. And hope that you have a supported hardware revision. This won't patch some of them. Note the firmware of your receiver prior to flashing in the Unifying software and verify that it has changed after the patch. The patch doesn't change anything in the OS; it stays in the dongle.
As much as I'd like to roast Logitech for the arrogance, they are still the only ones to produce some solution. Dozens of other manufacturers left the vulnerability in ignoring it altogether.
-
I'm going to post this here and on the more recent security bulletin.
I have a NON-unifying receiver, C-U0010. It appears vulnerable to this mousejack attack. Was able to write a short 'duckyscript' to tell it to type 'Hi' and it worked just fine.
I see these updates for Unifying receivers but nothing at all for non-unifying ones. And this receiver was bought this year from the local Target, with an M-R0061.
Are you intending to leave anyone who chose a mouse with a design on it open to this vulnerability?
-
The firmware update tool that you provide (SecureDFU_48.exe) to address a security vulnerability with your Wireless Unifying receiver and Wireless Keyboards cannot be run silently. Other enterprise users on this official announcement page have complained about the same. We need a way to A) silently run the tool to update our devices and B) a way to remotely scan these devices to identify that their firmware has been updated.
Just an idea... Could you all possibly create an additional PnP device ID string with an additional that can be used as an identifier indicating the firmware level? This would greatly help enterprise IT staff deploy this fix.
Example:
- Standard PnP device ID string for a wireless Logitech keyboard:
HID\VID_046D&PID_C52B&MI_00
- PnP device ID string w/ FW revision:
HID\VID_046D&PID_C52B&MI_00&FW_02
Would it be possible to update the firmware update tool to A) run silently and B) append a &FW_## string to the hardware device ID list for that device?
- Standard PnP device ID string for a wireless Logitech keyboard:
-
@apao Logitech has released a CLI tool for enterprise customers in an update thread here. Not sure if it suits your needs, but may be worth a try.
-
Why not just sell a wired version of your wireless products that are affected? I'm a huge fan of the wired wave keyboard and have to go out of my way to find resales of the wired version which Logitech has chosen to no longer sell. I don't want to have to stock batteries for the wireless version, and in working in close proximity to offices, above, below, and all around mine (some of which have folks with something to prove) I don't trust anything wireless to not eventually be compromised. Logitech's hubris about its wireless offerings is immensely disappointing, despite the great design of the wave keyboard.
-
DO NOT download the Logitech Firmware Update Tool from the link on this page. It is from 2017. There is a newer version available with release date: 2019-08-20. Logitech should keep its links up to date. The newer version can be downloaded simply by clicking on "Downloads" at the top of this page. "Firmware Update Tool" is right next to "Logitech Options" on the download page.
Please sign in to leave a comment.
Comments
29 comments