Logitech peripherals are vulnerable via the Unifying receiver
Mice and keyboards have a security vulnerability. Hackers can use wireless technology to spy on keystrokes or infect entire computers. Unifying technology makes it possible.
Security researcher Marcus Mengs has analysed the wireless connections of various wireless Logitech input devices and found a security risk in the Unifying receiver. Numerous weaknesses in mice and keyboards can be attacked via the wireless technology used by Logitech. Even computers can be infected through the security vulnerabilities discovered.
Vulnerable Unifying wireless technology
A hacker can track keystrokes due to the vulnerability and register passwords, PIN codes and email texts in this way. An attacker can even send their own commands to the Unifying receiver user's computer. Although the former threat sounds more dangerous, the latter should not be neglected. This is because it means that an attacker can infect the computer with malicious software.
In a video, Mengs shows how he attacks a notebook using a backdoor and can then control it via a Unifying receiver. Alarmingly, the security expert not only uses the wireless receiver from Logitech to infect the system, but also to communicate with the backdoor. This also gives him access to computers that are not connected to a network.
Vulnerable hardware
Affected is all Logitech peripherals that run with a Unifying receiver. Logitech has included such a USB wireless receiver with all wireless mice and keyboards supplied since 2009. Not only inexpensive entry-level models work with Unifying technology, but also high-end products such as the MX Master mouse or the Craft keyboard. An orange star on the USB adapter means that the peripheral interacts with the Unifying radio.
Gaming products from the Lightspeed series and the R500 and Spotlight wireless presenters are also vulnerable, as they do not use Unifying technology but work with similar wireless technology. The R400, R700 and R800 presenters also have a security vulnerability, but this is not related to the Unifying issue mentioned here and can be found here.
Compatibility instead of security
Logitech confirmed Mengs' findings and is working on a (partial) solution. Many of the security issues discovered will be fixed, but some will not. This is because otherwise compatibility between the Unifying products can no longer be maintained. Logitech uses Unifying technology to advertise the fact that up to six compatible input devices can be operated with the same receiver - regardless of whether the product was launched in 2009 or 2019.
Logitech does not intend to fix the security vulnerability which, according to Mengs, allows keystrokes to be included in the encrypted Unifying radio traffic. The vulnerability that allows an attacker to decrypt the encrypted communication of mice and keyboards by intercepting the pairing process of the end devices will also not be closed. Compatibility seems to be more important to Logitech in both cases. However, the Swiss peripherals manufacturer believes that in the case of the second vulnerability, it is sufficient for a secure pairing process if no suspicious activity occurs within a radius of ten metres. In other words: If there is no hacker with malicious intentions in your vicinity, they can't hack anything.
What you can do
First of all, make sure that you have the latest firmware on the USB receiver. This will at least fix the security vulnerabilities that have been known for three years. This does not work with the Unifying software recommended by Logitech, but it does work with the SecureDFU tool, which is intended for a different product. The latest versions that you can read out in the Unifying software are 012.008.00030, 012.009.00030, 024.006.00030 and 024.007.00030 - as of 9 July 2019. As soon as Logitech delivers the announced firmware update in August, you will have to update your USB receiver again using the SecureDFU tool.
In the meantime, Logitech strongly recommends locking away computers with Unifying receivers when not in use or storing them in such a way that strangers cannot physically access them to prevent tampering. Keyboards and mice should also be locked away, as Mengs' tests have shown. However, this is difficult or even impossible in everyday business life. An unobserved moment in the office is enough for an attacker to access the Unifying receiver and hack the peripherals and the connected computer.
You are only completely safe if you either use wired peripherals or take the wireless receiver with you when you leave the computer. Unless Logitech prepares to plug the gaps itself as quickly as possible. <p
When I'm not stuffing my face with sweets, you'll catch me running around in the gym hall. I’m a passionate floorball player and coach. On rainy days, I tinker with my homebuilt PCs, robots or other gadgets. Music is always my trusted companion. I also enjoy tackling hilly terrain on my road bike and criss-crossing the country on my cross-country skis.