The idea that someone can easily plug in a small USB device into your computer without you knowing is terrifying. How do you know that Rick from Accounting won’t try to stick a keylogger onto the back of your computer when you’re at lunch? What’s stopping your friend from pulling the evilest April Fools prank on your computer by uploading fake ransomware?
Absolutely nothing. But the situations I’ve listed out rarely happen. I’d say they take place in movies 99% of the time, the other 1% being real-life scenarios.
However, sometimes it’s the ones closest to you that hurt you the most. Today, Logitech ended up hurting us tech enthusiasts the most.
1. “Unifying” Terror
According to Marcus Mengs, the man responsible for discovering the USB vulnerabilities, stated that certain Logitech USB dongles that are responsible for connections to wireless keyboard, mice and presentation clickers are vulnerable to certain attacks.
These attacks include manipulating the USB to act as a keylogger, taking over the user’s keyboard and inserting their own keystrokes, and even taking over the whole computer if able. Now, the good news is that many USB dongles are programmed to block any injected keystroke that’s not coming from the source computer. Bad news is that these vulnerabilities allow the hacker to bypass this security measure as well.
I do have more good news though! You may not be affected, so hold on to your Logitech equipment until you hear what I have to say.
The Logitech USB dongles that are affected by these vulnerabilities are part of Logitech’s “Unifying” technology, one of Logitech’s wireless radio technology that ships with their products.
If you aren’t sure whether your device uses “Unifying”, all you need to do is look for an orange star on the USB dongle. If not present, it’s not using “Unifying”. If it is, you may want to look for a Corsair mouse. Anything else, really.
2. How It Works
Logitech’s vulnerability can be accessed without physical access only if the wannabe attacker can intercept the communication that takes place between the pairing of the USB dongle and the keyboard it’s connecting to. Intercepting this process would mean that the now-dangerous attacker can decrypt keystrokes in real time. So, for example, they’d be able to crack the password of a website you visit.
However, the pairing process is a small window. It’s highly unlikely that an attacker will be able to strike before the window closes, so they’d likely need physical access. To do this, the attacker would need to be able to type a few random keys into the keyboard, record the traffic, and then decrypt the traffic later, granting the encryption key.
Truly, this is a lot of work and not to mention risky.However, the potential rewards are endless, so disclosing this decision may have been a bad move.
Never fear though, Logitech said they are working on fixes to these vulnerabilities. Well, most of them. There are two vulnerabilities that Logitech has stated that they don’t planning on fixing with a firmware update, and one is vulnerability CVE-2019-13052.
CVE-2019-13052 allows an attacker to intercept the encryption key during the pairing process like I mentioned earlier, but this vulnerability also allows an attacker to reinitiate the pairing process to grab the key if the window is missed the first time. You’d think Logitech would focus on fixing this one first, and their dismissive attitude towards this vulnerability is frankly astounding.
This is the same as if a system admin was scolded for not protecting the company servers with encryption and VPN and he responded with “It’ll be fine”. You trust that man!?
For now, I recommend keeping others away from your Logitech keyboard or mouse. Maybe lock your door, turn your cubicle into a safety shelter, you know, the usual. Truth be told, I’d rather build my own signal jammer to keep a hacker at bay than use a wired mouse. What is a wire but a restriction on movement?