Logitech keyboards and mice vulnerable to extensive cyber attacks

Logitech keyboards and mice vulnerable to extensive cyber attacks

Trends & News | c't deckt auf

Bild: Logitech / arrangement: c't

Several Logitech keyboards, mice and wireless presenters suffer from security vulnerabilities, Not only can attackers eavesdrop on keystrokes, they can even infect the host system. c't has established which products are affected and what you should do now.

A large range of Logitech wireless input devices is vulnerable to wireless attacks and can pose a security risk. That is the conclusion of security expert Marcus Mengs, with whom c't has been in touch for quite some time. Mengs investigation of the wireless connections of several Logitech devices has uncovered numerous weaknesses. They affect keyboards and mice as well as remote controls known as wireless presenters.

The vulnerabilities allow an attacker to eavesdrop on keystrokes from wireless keyboards. Everything an affected user types, from e-mails to passwords, is readily available to the adversary. But it gets worse: An attacker can send any command to the victim's computer if a vulnerable Logitech-device is installed. And that makes it easy to infect the computer with malicious code without the rightful owner taking notice.

Mengs demonstrates how to infect a system with a backdoor (remote shell) through which he can control the system remotely by radio. In a way, it's an elegant hack, because he simply piggybacks on the wireless Logitech connection to infect the system and to communicate with the backdoor. That means even computers who are not online are ripe for the hack.

Attack via Logitech radio – Security expert Marcus Mengs installs a backdoor through a vulnerable Logitech Spotlight presenter – Quelle: Marcus Mengs (@mame82)

c't evaluated the security expert's extensive reports and then discussed the individual vulnerabilities with Art O'Gnimh, global head of Logitech's mouse and keyboard division, in a video conference convened on short notice. The company confirmed Marcus Mengs' reports and attempted to clarify the situation.

The Logitech Unifying receivers are recognizable by their orange star logo. (Bild: c't)

Any Logitech device that uses the so-called Unifying radio technology is affected. Logitech has been shipping the vulnerable Unifying USB receivers with wireless keyboards and mice since 2009. Unifying is used across Logitech's product range, from inexpensive entry level devices to current high-end models. The vulnerable USB receivers are recognized by a small orange star logo.

In addition, wireless gaming products of the Lightspeed series and the Wireless Presenters R500 and Spotlight are also affected. They use related radio technology. The Presenter R400, R700 and R800, however, are not affected by the vulnerabilities described in this article. Unfortunately, they suffer from a previously discovered issue known as MouseJack.

Logitech products with Unifying technology (7 Bilder)

Logitech K400 Plus

The Logitech K400 Plus living room keyboard comes with a unifying receiver.
(Bild: Logitech)

Logitech plans to resolve only some of the security issues reported by Mengs, but not all. A complete fix would likely jeopardize compatibility between Unifying products. Logitech's Unifying wireless standard allows for up to six compatible input devices to be used with a single Unified receiver – from ten-year-old models to the latest series.

Among the security issues which the manufacturer does not plan to address are two discovered by Mengs. The security vulnerability CVE-2019-13053 allows an attacker to inject any chosen keyboard input into the encrypted radio traffic without knowing the cryptographic key used. To achieve this, the attacker only needs temporary access to the keyboard in order to press a few keys. Alternatively, the hacker could simply observe for a few seconds what the user is typing. At the same time, the attacker would record the radio traffic. Then, it only takes a few seconds of automated computer analysis to compute all the information required to attack the encrypted radio connection. That means that the actual attack can be carried out later, from a distance.

Security expert Marcus Mengs eavesdrops on the keystrokes of a vulnerable Logitech keyboard after recording the pairing process. – Quelle: Marcus Mengs (@mame82)

The second vulnerability left unfixed by Logitech is known as CVE-2019-13052. Here, the attacker can decrypt the encrypted communication between the input devices and the host device, if he has recorded the pairing between input device and host system. Logitech advises that any pairing of receiver and input device should only be performed "when it is ensured that no suspicious activity occurs within a radius of 10 meters." Good advice that's hard to take, given that the hardware required for the attack fits into any coat pocket and would hardly raise any "suspicion". All you need is a tiny Raspberry Pi connected to a USB radio stick and a small power bank.

Logitech is, however, planning to patch two other of Mengs' findings, CVE-2019-13055 and CVE-2019-13054. The Swiss company has scheduled the release of new firmware for August. CVE-2019-13055 allows an attacker to extract the cryptographic key used by the Unifying receiver. A few seconds of access to the USB receiver suffice. Afterwards, the attacker can eavesdrop to key strokes at any time from a distance, and even send any chosen commands to the Unifying receiver.

The vulnerability CVE-2019-13054 is similar: it affects the wireless presenters R500 and Spotlight, which use unifying-like radio technology. Again, the attacker can read the cryptographic key from the USB receiver and then infiltrate the wireless connection later on.

This is worse than it sounds. Wireless presenters only have a few buttons, not a full keyboard. That should limit the havoc an attacker can wreak. But Mengs managed to fool the input filters. These filters are in place to refuse execution of any letter commands, as these are not needed for the operation of the PowerPoint remote controllers. Mengs attack bypasses the filters, allowing him to execute more complex commands on the target computer, for example to install a persistent backdoor. The Windows Powershell is a welcome tool for attackers, as they can simply transmit malicious code and execute it in the Powershell. No download from the Internet, which may be detected by anti-virus software, is necessary.

Two of the vulnerabilities identified by Marcus Mengs have been known for three years. CVE-2016-10761 describes how an attacker can infiltrate the encrypted communication with his own keystrokes; another details how an attacker can connect to a Unifying receiver without the receiver being in pairing mode. Logitech addressed these two problems with firmware updates in 2016. But Mengs told c't that he still found vulnerable firmware installed on the receiver of a Unifying keyboard he purchased only recently.

According to the Unifying software, everything is up to date, but the firmware installed on the receiver is as old as the hills. (Bild: c't)

Maybe Logitech failed to overcome a challenge of their own making. Applying the firmware update is by no means trivial: Friday afternoon, c't tried to update the USB receiver of a Unifying keyboard bought in 2014. The tech support section of Logitech site offered us no less than 18 versions of the SetPoint configuration software, and, finally, the Unifying software designed for firmware updates. Both tools assured us that everything was up to date. However, further investigation by Mengs revealed that our Unifying receiver had the oldest of all possible firmware versions installed, susceptible to all known attacks. The Unifying software's update routine is obviously defective.

With the help of a third party search engine, we finally found a Logitech firmware update called SecureDFU. Although the Logitech website maintains that SecureDFU is intended for a different product, it does the trick. Only with this tool were we able to install a firmware version that is no longer vulnerable to the attacks known since 2016. The support page for our product still did not contain any hint to these old security gaps and the firmware update, nor a link to the functional update tool. Our update experience suggests that the firmware has not yet become widely distributed – which in turn suggests the majority of Unifying products are susceptible to attack.

We also pointed out to Logitech that customers on Logitech.com are insufficiently informed of the security risks that have been known for years and the important firmware updates. In their response, the company promised to "educate its customers on the risks and recommended practices of the presenters and products that use Unifying wireless technologies through two customer support pages" that are meant to be published simultaneously with this article.

The SecureDFU tool can be used to update the firmware of Unifying receivers. (Bild: c't)

To protect yourself, follow these steps: First, make sure that the latest firmware is installed on your USB receiver, so that at least the security flaws from 2016 are addressed. Since the Unifying software doesn't do the job, you'll need to use the Logitech Firmware Update Tool SecureDFU (available for Windows 7, 8, and 10). The current firmware versions are as follows:

  • 012.008.00030
  • 012.009.00030
  • 024.006.00030
  • 024.007.00030

The current firmware version can be checked using the Unifying software. As soon as the firmware update announced for August is available, you must update the USB receiver again. c't will report the availability of the new firmware as soon as it is released by Logitech.

You can download the necessary tools here:

Keep in mind that Logitech's Unifying receivers will remain vulnerable as the situation currently stands, even after the forthcoming updates will have been applied. Logitech strongly advises that "a computer (with a USB receiver) should always be kept where strangers cannot physically access or manipulate it. In addition, users should take common security measures to make it more difficult for others to access it."

Strictly speaking, you would have to lock away your keyboards, too, since an attacker can extract the cryptographic key from radio traffic by pressing a few keys as described above. And you should never use the keyboard were an adversary may be able to observe you, be it directly or remotely through a camera. For three of the four newly discovered flaws, no pairing mode is required. Normal receiving mode suffices.

Additionally, Logitech reiterates that any pairing of a receiver with a device should only be done "if it is ensured that there are no suspicious activities within a radius of 10 meters".

The necessary protective measures make it challenging to use the affected products in a professional environment. It is usually nigh impossible to ensure that no unauthorized person can access the USB receiver. An attacker only needs a few seconds of access to the receiver in order to attack the radio connection permanently from a distance. To be on the safe side, remove the Unifying receiver and take it with you when leaving your device. Basically you should ask yourself if you need to have a wireless keyboard or mouse at all. The safest way is still an old-school cable connection.