The researcher says the attacker needs physical access to a device to perform this attack. CVE-2019-13053Īccording to Mengs, this is a vulnerability through which an attacker can inject keystrokes into the encrypted communications stream between a USB dongle and a Logitech device, even without knowing the encryption key.
#Logitech driver for mac is safe Bluetooth
When the search giant found out that attackers could pair a malicious device to a user's computer because of a weak pairing process in the Bluetooth version of its Titan security key, Google issued a worldwide recall of all impacted Titan keys. This response is the complete opposite to what Google did in a similar situation.
#Logitech driver for mac is safe Patch
Logitech told Mengs that they don't plan to issue a firmware patch for this vulnerability. This includes both Logitech wireless keyboards using Unifying dongles, but also the dongles of MX Anywhere 2S mice, which can also accept keyboard input.ĭemos are below, and Mengs says the attacks are invisible to users.
"With the stolen key, the attacker is able to inject arbitrary keystrokes, as well as to eavesdrop and live decrypt keyboard input remotely," Mengs said.įurthermore, in situations where the attacker has missed the dongle pairing operation, an attacker with physical access to the dongle "could manually initiate a re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key," by simply unplugging and re-plugging the dongle.Īll Logitech Unifying USB dongles that support a keyboard input feature are affected. Mengs says that if an attacker can capture the pairing between a Unifying dongle and a Logitech wireless accessory, the attacker can recover the key used to encrypt traffic between the two components. Users can recognize if they're using a Logitech USB dongle that's vulnerable to these attacks because all Unifying dongles have an orange star printed on one of its sides, as portrayed in these Wikipedia images.īelow is a summary of Mengs' discoveries and Logitech's plan of action. The dongles are often found with the company's wireless keyboards, mice, presentation clickers, trackballs, and more. Unifying is one of Logitech's standard dongle radio technology, and has been shipping with a wide array of Logitech wireless gear for a decade, since 2009. Logitech "Unifying" dongles are impactedĪccording to Mengs, the vulnerabilities impact all Logitech USB dongles that use the company's proprietary " Unifying" 2.4 GHz radio technology to communicate with wireless devices. Marcus Mengs, the researcher who discovered these vulnerabilities, said he notified Logitech about his findings, and the vendor plans to patch some of the reported issues, but not all. When encryption is used to protect the connection between the dongle and its paired device, the vulnerabilities also allow attackers to recover the encryption key.įurthermore, if the USB dongle uses a "key blacklist" to prevent the paired device from injecting keystrokes, the vulnerabilities allow the bypassing of this security protection system. The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected.
A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers.
0 kommentar(er)
