Tech

Logitech wireless USB dongles vulnerable to new hijacking flaws

Vulnerabilities found in Logitech's proprietary Unifying USB dongle technology.

Written by Catalin Cimpanu, Contributor July 9, 2019 at 2:17 a.m. PT

Logitech USB dongle — Image: ZDNet/Catalin Cimpanu

TechRepubli

Wi-Fi Icon abstract design Created in the form of stars and constellations on the background of space,isolated from low poly wireframe on .

Wi-Fi 6 (802.11ax): A cheat sheet

A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers.

The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected.

When encryption is used to protect the connection between the dongle and its paired device, the vulnerabilities also allow attackers to recover the encryption key.

Furthermore, if the USB dongle uses a "key blacklist" to prevent the paired device from injecting keystrokes, the vulnerabilities allow the bypassing of this security protection system.

Marcus Mengs, the researcher who discovered these vulnerabilities, said he notified Logitech about his findings, and the vendor plans to patch some of the reported issues, but not all.

Logitech "Unifying" dongles are impacted

According to Mengs, the vulnerabilities impact all Logitech USB dongles that use the company's proprietary "Unifying" 2.4 GHz radio technology to communicate with wireless devices.

Unifying is one of Logitech's standard dongle radio technology, and has been shipping with a wide array of Logitech wireless gear for a decade, since 2009. The dongles are often found with the company's wireless keyboards, mice, presentation clickers, trackballs, and more.

Users can recognize if they're using a Logitech USB dongle that's vulnerable to these attacks because all Unifying dongles have an orange star printed on one of its sides, as portrayed in these Wikipedia images.

Below is a summary of Mengs' discoveries and Logitech's plan of action.

CVE-2019-13052

Mengs says that if an attacker can capture the pairing between a Unifying dongle and a Logitech wireless accessory, the attacker can recover the key used to encrypt traffic between the two components.

"With the stolen key, the attacker is able to inject arbitrary keystrokes, as well as to eavesdrop and live decrypt keyboard input remotely," Mengs said.

Furthermore, in situations where the attacker has missed the dongle pairing operation, an attacker with physical access to the dongle "could manually initiate a re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key," by simply unplugging and re-plugging the dongle.

All Logitech Unifying USB dongles that support a keyboard input feature are affected. This includes both Logitech wireless keyboards using Unifying dongles, but also the dongles of MX Anywhere 2S mice, which can also accept keyboard input.

Demos are below, and Mengs says the attacks are invisible to users.

Logitech told Mengs that they don't plan to issue a firmware patch for this vulnerability.

This response is the complete opposite to what Google did in a similar situation. When the search giant found out that attackers could pair a malicious device to a user's computer because of a weak pairing process in the Bluetooth version of its Titan security key, Google issued a worldwide recall of all impacted Titan keys.

CVE-2019-13053

According to Mengs, this is a vulnerability through which an attacker can inject keystrokes into the encrypted communications stream between a USB dongle and a Logitech device, even without knowing the encryption key.

The researcher says the attacker needs physical access to a device to perform this attack. The concept is that an attacker presses between 12 and 20 keys and records the encrypted traffic, which he/she later analyzes and recovers the encryption key.

Physical access is required only once, so the attacker can collect enough cryptographic data from the radio traffic.

"Once the data has been collected, arbitrary keystrokes could be injected, when and as often as the attacker likes," Mengs said.

Furthermore, when attacking certain type of wireless devices, such as presentation clickers, the attack is even more simple, as the attacker doesn't need actual physical access, as he can infer when a next/previous button has been pressed, and classify the logged radio traffic accordingly.

Mengs says this vulnerability exists due to an incomplete fix for CVE-2016-10761, one of the infamous MouseJack vulnerabilities, and that Logitech has no plans on patching this new attack variation.

Unifying toy demo (for non public talk tommorow).
Attacker has ONE-TIME-ACCESS to encrypted Logitech keyboard, to press arbitrary keys.Remote machine listens on RF, breaks crypto, injects client agent via keystrokes, which then relays a shell over the unmodified Unifying dongle pic.twitter.com/Ho0MSPHSIH
— Marcus Mengs (@mame82) May 14, 2019

CVE-2019-13054 and CVE-2019-13055

CVE-2019-13054 and CVE-2019-13055 are technically the same vulnerability. The flaws require physical access to a Logitech Unifying dongle to successfully exploit.

According to Mengs, the dongles come with undocumented vendor commands and improper data protections that make it easy for an attacker to dump encryption keys stored on the dongles.

The entire attack takes one second to carry out, and once the hacker has the encryption keys, they can either sniff on the user's keypresses or inject their own to perform malicious operations and take over computers.

Logitech told Mengs that a patch for this issue is scheduled for August 2019.

CVE-2019-13054 is used as an identifier for the vulnerability's impact on Logitech R500 and Logitech SPOTLIGHT presentation clickers, while CVE-2019-13055 is used for all other Logitech devices using a Unifying dongle.

The reason why the Logitech presentation clickers were put in a separate category was because the attacker can also bypass "key blacklists" and inject key presses for keys between A and Z, which technically should not be supported on presentation clicker devices.

Keystroke injection into encrypted @Logitech R500 presentation clicker
- steal AES key (undisclosed vulnerability, one time physical access)
- RF injection with bypass of alpha key blacklisting (could be done as often as needed, once AES key is dumped) pic.twitter.com/yQTUCTVTdj
— Marcus Mengs (@mame82) June 24, 2019

On top of the four vulnerabilities he discovered over the course of the last months, Mengs also warned that many Logitech Unifying dongles are still vulnerable to the old MouseJack vulnerabilities disclosed back in 2016.

ZDNet reached out to Logitech a day before this article's publication seeking additional information on these vulnerabilities and why the company did not want to address some flaws. The company did not return our inquiry.

Mengs' full report is available here.

Updated on July 11 to add a link to Logitech's security advisory for the vulnerabilities described in this article.