Why you should really really update your Logitech wireless dongle The Verge

Three and a 1/2 years in the past, a protection researcher broke into my pc without ever desiring to the touch it. He didn’t even need its community deal with. All he needed to do was sniff out my Logitech wireless mouse’s tiny USB receiver, hearth off some traces of code, and begin typing things that seemed on my display screen. He ought to have wiped my hard drive, installed malware, or worse, tons as though he’d had physical access to my PC.

It was the type of hack I’d chuckle at in a horrible hacker movie — the kind that appears too handy* to absolutely exist.

But once I wrote about the so-referred to as “MouseJack” hack in2019, I figured that became that. I’d given the problem interest in a prime technology information booklet, lots of people were analyzing approximately it, and Logitech had already issued a patch.

Yet I’m now gaining knowledge of that the sector might not be rid of MouseJack but.

Earlier this week, security researcher Marcus Mengs revealed that Logitech’s wireless Unifying dongles are simply prone to a sort of newly discovered hacks as well, primarily ones which are paired with presentation clickers, or at some point of a short window of possibility whilst you’re pairing a brand new mouse or keyboard to the dongle. I didn’t think a good deal of that closing one — Logitech’s peripherals come pre-paired, and also you’d must be a quite fortunate hacker to realize exactly when a person has lost their dongle (or mouse) and is putting in place a new one.

Something else in Meng’s record (and ZDNet’s coverage) stuck my eye, but — an allegation that Logitech is still promoting USB dongles susceptible to the unique MouseJack hack.

I got in touch with Marc Newlin, the Bastille researcher who initially hacked me in2019, and he straight away corroborated the file: He’d simply these days bought a Logitech M510 mouse that also got here with a susceptible dongle as nicely.

So I spoke to Logitech, and a rep admitted that the ones unpatched dongles may nonetheless be in the marketplace. In reality, Logitech says in no way in reality recalled any merchandise after the original hack in2019:

Logitech evaluated the threat to organizations and to consumers, and did now not provoke a consider of products or components already inside the market and deliver chain. We made the firmware update to be had to any customers that had been particularly involved, and implemented adjustments in merchandise produced later.

Logitech it did “section the restore in” for newly manufactured merchandise, however a rep said they could’t yet verify when the adjustments have been made on the factory.

Not that we need to necessarily be singling out Logitech, thoughts you. According to Newlin, MouseJack affected gadgets from Dell, HP, Lenovo and Microsoft too, and possibly others that used the equal Nordic and Texas Instruments chips and firmware for his or her wi-fi receivers. Since Logitech helps you to replace the firmware on its Unifying dongles, they had been better off than maximum.

But that’s additionally why Logitech’s dongles can be a cheap and easy way to release the attack initially — in2019, Newlin showed me that the Logitech Unifying Receiver itself may be used as a radio to smell out and hack different dongles, despite the fact that he says this $34 Crazyradio has a long way better range.

All of that is to say that if you’ve got a wi-fi Logitech mouse, keyboard, or presentation clicker, you need to in all likelihood patch it now — and maybe once more in August while Logitech will be rolling a few extra fixes out. Logitech’s antique guide pages for MouseJack are long gone, but here’s the link to update any Unifying receiver, and here’s the one when you have a G900 gaming mouse.

That’s Logitech’s advice too: “[A]s a first-class exercise, we always propose people update their wi-fi Unifying USB receivers to our modern firmware.”

*I become quite skeptical in2019. That’s why I provided my personal computer and my very own Logitech dongle for Bastille to demo it for me.

Let's block ads! (Why?)

//www.theverge.com/2019/7/14/20692471/logitech-mousejack-wireless-usb-receiver-susceptible-hack-hijack
2019-07-14 14:00:00Z
CAIiEGD-o7zC0qlHplSWDiVeNqEqFwgEKg4IACoGCAow3O8nMMqOBjCkztQD

Share this post