Logitech Unifying Receiver Update
Pinned
- For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/Script%20DFU%20Tool.zip (Mac support will be added shortly)
______________________________________________________________
Earlier this year a security researcher approached Logitech regarding three potential vulnerabilities related to Logitech’s Unifying Receiver. We have been in communication with him since to assess the risks associated with these findings and ways of addressing them.
We’d like to first reassure you that this research was conducted in a controlled environment. The vulnerabilities would require special equipment and skills, as well as proximity to - or even physical access to - the target’s computer or device.
People who are concerned about their privacy should take note of and apply the computing security measures described in the Q&A below.
We are actively working on a firmware update that will address one of the vulnerabilities and expect it to be available for download in August, 2019. We will update this post as soon as it becomes available for download!
We take our customers’ privacy very seriously, and these findings help us to continually improve our products.
Q: What are the vulnerabilities reported by the security researcher?
A: Three potential vulnerabilities were reported. Two of them relate to extracting the encryption key that secures the communication between the Logitech device and the Logitech Unifying USB receiver. The third one relates to overcoming the barriers to keystroke injection between the device and the USB receiver.
A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer.
Q: How should I protect my privacy when using my Logitech products?
A: You can protect your privacy by applying some basic principles as you use your computer and your Logitech products.
First and foremost, follow the common-sense security measures that are found in a typical office or home and don’t ever let strangers physically access or tamper with your computer or input devices.
Secondly, all our Unifying devices are securely paired to a wireless receiver when they are produced and pairing is not required thereafter. However, the ability to pair a second, third or fourth device to a single USB receiver is one of the advantages of our Unifying wireless technology so we enable it through a simple piece of software. If you have to pair a device to a Unifying receiver, this procedure could allow a hacker - with the right equipment and skills, and physically close to your computer - to “sniff” the encryption key. So this brief procedure should only be done when absolutely certain that there is no suspicious activity within 10m/30ft.
Note, if your device stops working, this is never because of a loss of pairing to the USB receiver so re-pairing is not required to troubleshoot.
Q: Which Logitech products are concerned by these reports?
A: Mice and keyboards using Logitech’s Unifying wireless protocol. You can identify Unifying products by a small orange logo on the wireless USB receiver, featuring a shape with six points. The Spotlight presentation remote and R500 presenter, are also impacted.
In addition, Logitech’s Lightspeed gaming products are concerned by the encryption key extraction vulnerabilities.
Q: Can I install a firmware upgrade to protect me against this? How?
A: Two of the vulnerabilities (known as CVE-2019-13053 and CVE-2019-13052) would be difficult for an attacker to exploit and can be effectively protected against by applying the computing privacy guidelines above. We won’t address these with a firmware update as this would negatively impact interoperability with other Unifying devices.
However, we take security very seriously and we recommend our customers update their wireless Unifying USB receivers to the latest firmware. We are actively working on a firmware update that will address the third vulnerability (known as CVE-2019-13054/55). We expect this to be available for all applicable devices in August, 2019 and we will update this page with more information at that time.
- For PC or Mac users: You can download a simple updating tool here: https://support.logi.com/hc/articles/360035037273
- Enterprise customers: You can download a centrally deployable tool for PC here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/Script%20DFU%20Tool.zip (Mac support will be added shortly)
- Linux users: Our latest firmware has been submitted to the Linux Vendor Firmware Service and will be available at https://fwupd.org/.
-
@lain7107
You can see a non-exhaustive list of MouseJack-vulnerable devices at https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices
In addition to what's listed I'd say any of their wireless products purchased prior to .. at least June 2017. Give that some time to get rid of old stock and have new stock on the shelves.
Or just look at what the updated firmware numbers are, open... was it setpoint or the unifying pairing software, and look at the dongle's current fw number. And if it's not one of those it's vulnerable.
I just bought my vulnerable non-unifying mouse in January of this year. So, I think all non-unifying receivers are probably vulnerable.
My SO bought a k400 within the past month - also from the local Target - And the receiver came with the patch. So there's that at least.
@Mark: I'm glad they finally know about the issue, for sure. I've just kinda been thinking they've been pointedly ignoring non-unifying because it'd be even more difficult to push updates for all of those too. Or maybe they can't be updated because they're afraid one would be able to flash a non-unifying dongle with a unifying firmware or something.
They definitely should be freaking out since this is a huge vulnerability and I'm sure hundreds of thousands of vulnerable devices are already out in the wild. The only reason they're still getting sales is because major news networks haven't made segments about it, so the people in-the-know are limited.
-
@Jeff Jackson
We make use of lots of equipment in a number of offices, and currently have a flexible BYOD policy for input devices, so MouseJack is a concern for us. Being able to periodially sweep an entire office as part of a security review will allow us to check for potential issues without needing to pysically inspect each device.
While there do appear to be some problems with Logitech's process, at least the Unifying adaptors are patchable. IMO the bigger problem appears to be with non-Unifying devices which cannot be fixed, only binned.
I guess the only way to be sure would be to try and run the exploit myself.
-
Looks like unifying software got update and there is now update firmware button. SADLY:
- Newest version crash on OS X
- Windows version failed to update dongle firmware from 012.001.00019 to 012.008.00030. No error messages it seems to fail do its job properly.
Not worth of updating because of those two and because there is not fixed firmware available for the newest vulnerability.
-
Hope the Aug update will fix my problem.
Must Unplug Receiver Every Restart/Sleep
M570 and M510 ... must unplug/plug-in receiver/dongle every time before they show up in Control Center.
This means if I don't do that my Configuration settings don't work...
This is new with my new Mac Mini w/OS 10.14.5 and .6
Did not do this with my MB Pro (2016) with 10.14.5
Difference between my Mac's may be the new T2 chip.
-
Hey everyone
I have an other Problem which would be a great risk.
We cant silent install the newer Versions of the Logitech Options Software.
The older ones we could silent install but at some Point they scrapt this feature.
How do you guys make sure that the software is up to date?
We have 150 PC with the Software on in and manual update is not an Option.
Thanks for the reply.
-
Hello Kirill
Thanks for the reply.
Can you explain me what you do with the logon script?
The Install file has no Silent key (/S /Silent /qn, ,...) and i don't know how to make it silent.
(Support didn't answer me 5 Times and on the last Ticket about this they reply after 3 Weeks with the Message "It doesnt work" )
Thank you very much
really appreciate it
-
Hello, it's me again.
I was hoping Logi Moderator could clarify Logi's position on non-unifying receivers. As non-unifying products may make more sense to some consumers. They may think "Unifying, what's that? Why doesn't this other one have unifying? Well this other one that doesn't have unifying has a neat design that I like, so I'll get that." Not knowing that buying a non-unifying product will make their computer vulnerable.
Or they may know what Unifying is, and decide they don't need it because they only need the one peripheral.
-
After running the Firmware Update Tool my K400 Plus is now at firmware version 063.002.00016, according to Logitech Options. Is this the firmware with the security fixes?
I'm asking because the article says the update was released 28th August, yet the update tool has last updated day of 20th August and it didn't appear to be making an internet connection when run.
-
I have the MK700 keyboard and M705 mouse (circa 2015). On 2019.08.29 I downloaded the firmware update tool (v1.2.169_x64) and ran the update without any issues. The firmware for the Unifying Receiver showed as being v024.010.00036.
On 2019.08.30 I replaced a problematic M705 mouse (not caused by the above) with a new M705 mouse that came with a new Unifying Receiver. I went through the process of unpairing the old devices from the old UR, installed the new UR and paired the old MK700 and new M705 devices to the new UR. All went well.
I noticed that the firmware for the new UR was v012.011.00032 so I ran the the firmware update tool once again. After the process completed successfully, the firmware version for the UR is still showing as v012.011.00032.
This question becomes, should I be concerned that the firmware tool did not update the new UR?
-
Thanks for posting Nils. How old is your Unifying Receiver? The reason I ask is because my UR from 2015 did update to 024.010.00036. However, The new UR that came with my new M700 device (which is supposed to have been released in 2018) did not update to 024.010.00036. The Firmware Update kept it at 012.011.00032.
-
@Robert Archell
I got mine early 2017.
Through a German site I found a link to Logitech firmware repository on GitHub.
https://github.com/Logitech/fw_updates/tree/update2019-08-27
It should confirm our Unifying Receivers, both of 012 and 024 firmware type, are at the latest version (browse through RQR12->RQR12.11).
Why there are two different types appears be by the chip used, RQR12 for Nordic Semiconductor, RQR24 for Texas Instruments, but please don't quote me on that.
Please sign in to leave a comment.
Comments
132 comments