Return to Level1Techs.com

Security breach in Unifying wirelesss protokol of Logitech

security
#1

Logitech’s protocol is as full of holes, as is their cheese. German security expert, Marcus Mengs (@mame82) found it out, but as I see, ZDNet have an article about it.
Wire FTW! :slight_smile:

1 Like

#2

Link to the article? What holes are there specifically?

0 Likes

#3

This, possibly?

1 Like

#4

Awesome, these are standard issue on most of the desks in the office I work. Physical access isn’t an issue. Muhahahahaha :skull:

image

1 Like

#5

Good thing the MX Master 2S works over regular Bluetooth too.

Not sure surprising considering what they want to do with the unifying receivers. More surprising it took this long to be found.

0 Likes

#6

if an attacker can capture the pairing between a Unifying dongle and a Logitech wireless accessory

What are we discussing about? I’m not saying those vulnerabilities are not important but who pairs mices and keyboards constantly? Many of those vulnerabilities require direct access to the machine to activate pairing mode and intercept traffic. Maybe the keystrokes injection can be annoying but computers not in use are always locked or off and if someone is using it surely will do something before any harm can be done.

Surely those vulnerabilities need to be fixed, companies shouldn’t sell vulnerable electronic devices. But still, those things aren’t major in any way in my opinion.

2 Likes

#7

Again? Christ, my poor little M195 …
:wink:

0 Likes

#8

According to Heise Verlag (Germany), coming firmware update will leave 2 vulnerabilities open.
Obtaining key while paring, and transmitting known characters sequence.
Second one does not need physical action so it looks quite dangerous for me. I don’t know the effort needed to calculate the key by known input, but if it’s doable, then with a bit more power you could start to guess the input (just my speculation).
And keyboard injection is major threat, you could watch some Hak5 videos about Rubber Duck, if I recall it right.

0 Likes

#9

I used to work for a large corporation that has offices in just about every major metropolitan city in the United States and Europe and other countries around the globe. They were all about open office spaces and bought Logitech wireless keyboards and mice combos for every office including sit-stand desks to reduce wire clutter and present a clean look.

These were a thorn in my side constantly. Batteries die, users borrowed mice for business trips, and they mixed and matched equipment requiring re-pairing the devices daily. Also, the range of these devices was terrible when you have a large office full of them along with bluetooth headsets and cell phones. Interference caused strange stuttering when typing and lag when mousing.

Let me tell you that this vulnerability is a very real issue for these types of environments. We were large targets for phishing and scamming attempts daily so it wouldn’t be outside the realm of possibilities that someone might even attempt this. The offices were often open to visitors for events and demonstrations so access wouldn’t be an issue for attack either.

1 Like

#10

@qbecks It is, but I think looks worse than it actually is to me. Also a rubber ducky is much more powerful because the bandwith of a direct USB connection is much higher than the polling rate of those wireless dongles.
I don’t think it’s possible to guess the key just sniffing the traffic. I think everyone who makes devices like those has that covered.

@Klingon00 The company you used to work for presents a very specific situation in which an attack like that could work. But still would require a lot of work to catch someone pairing and having “open house” days without locking down every possible computer is bad indipendently from this kind of vulnerability. It’s pretty easy to disguise a really small rubber ducky and plug it in while nobody is watching

0 Likes

#11

colour me entirely unsurprised… proprietary/closed wireless standard has holes… :scream:

if you’re at work, using machines for production, use wired peripherals.

  • they don’t run out of battery
  • they aren’t susceptible to RF interference, sniffing, etc.
  • they’re cheaper
  • they work just fine and have done so for decades at this point

My desk is sit/stand and has no issue with wires. because the PC is on the desk. :smiley:

edit:
don’t get me wrong. i’ve used wireless logitech gear at home for decades at this point. but at work… pain in the ass. Not worth it.

You don’t get low battery notifications without the windows driver crapware installed, and just end up getting weird glitches with dropped keystrokes or clicks until you figure it. out.

At home, if someone is in wireless keyboard range of me and trying to hack my shit, i’ve got bigger concerns…

0 Likes

#12

Just watch out for wires like usb ninjas. :slight_smile:

1 Like

#13

I have a wireless combo keyboard+trackpad on my HTPC with their unifying receiver and Linux does display its battery meter.

0 Likes

#14

Explain this witchcraft. There are lots of posts on the logitech forums asking for Linux support for the unifying receiver.

0 Likes

#15

I never looked into it, but I assume it works through upower.

0 Likes

#16

There were only wired keyboards and mice on the 7th floor of our office. We thought it weird when we got moved there as all other floors had the Logitech wireless stuff. It turned out there used to be a guy on that floor with a pacemaker and it interfered with the wireless devices :face_with_hand_over_mouth:

0 Likes

#17

Yeah i know linux does it, but 99.9% of people aren’t running linux in the workplace, which was pretty much my point.

(i am though).

1 Like

#18

In the early days it wasn’t uncommon to get cross-talk between them and have user A’s keyboard interfering with user B.

At the end of the day for a fixed desk, its just useless fluff in an office environment. Home? Sure, stylish, more portable, looks better, etc. But an office isn’t about that stuff typically.

1 Like

#19

Even without solaar the default “Power Manager” power management daemon (in MATE) shows battery information via a taskbar icon for my Logitech wireless keyboard, mouse, and even CyberPower UPS (connected by USB).

1 Like

#20

Yep I believe that uses upower in the backend.

https://upower.freedesktop.org/

1 Like