Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Logitech Wireless USB Dongles Vulnerable To New Hijacking Flaws (zdnet.com) 63

A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers. New submitter raikoseagle shares a report: The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected. When encryption is used to protect the connection between the dongle and its paired device, the vulnerabilities also allow attackers to recover the encryption key. Furthermore, if the USB dongle uses a "key blacklist" to prevent the paired device from injecting keystrokes, the vulnerabilities allow the bypassing of this security protection system. Marcus Mengs, the researcher who discovered these vulnerabilities, said he notified Logitech about his findings, and the vendor plans to patch some of the reported issues, but not all.
This discussion has been archived. No new comments can be posted.

Logitech Wireless USB Dongles Vulnerable To New Hijacking Flaws

Comments Filter:
  • Stuff like this is why I refuse to use wireless keyboards/mouses, and insisted on a USB keyboard for my tablet.

    • by dgatwood ( 11270 )

      It's not necessary to eschew all wireless devices, just those that use proprietary protocols. Bluetooth's encryption is well-vetted.

      • by Anonymous Coward

        Just because it's encryption is good, does not mean that Bluetooth does not have it's problems. Look up the Terms BlueBorne, Btlejacking, and BleedingBit.

        There are plenty of problems to go around, proprietary or standard based...

        • by dgatwood ( 11270 )

          By Bluetooth, I mean Bluetooth Classic — the technology used for things like keyboards and mice. Two of the three things on your list are about Bluetooth Low Energy, which is an entirely unrelated technology that just happens to share part of its name with Bluetooth Classic, and is relatively immature.

          That said, you're right that Bluetooth has had a few exploits. The difference is that when exploitable bugs in the Bluetooth stack are discovered, they affect all devices across the board, and tend to

          • by mentil ( 1748130 )

            Funny, when I looked into Bluetooth security when I bought my tablet, it seemed that most of the flaws were in specific implementations rather than the standard itself... which isn't comforting at all. Sure the relevant BT version may be secure, but what about the specific implementation I'm using? Who knows!?

            Then there are problems with the protocol itself such as forced re-pairing that can be used as DoS even if they manage to secure the keys somehow (which they sent basically to anyone during pairing IIR

    • Stuff like this is why I refuse to use wireless keyboards/mouses, and insisted on a USB keyboard for my tablet.

      Like someone is going to run ransomware on my Bluetooth keyboard...

      • by mentil ( 1748130 )

        No, it'd do a badUSB-style attack where it does e.g. F6->www.mobileransomware.biz->Enter
        and thanks to a Chrome vuln I now have ransomware on my tablet.
        Or more likely, just keylog my passwords/CC#s.

  • No, really.
  • Why do we have these things in the first place? Isn't this what Bluetooth is supposed to handle, in a known and secure manner? I can understand USB dongles a few years ago when BT wasn't common, but almost everything has it, and the pairing process has stood the test of time when it comes to security.

    If Logitech has to make a dongle, why not a very good, BT 5.1 dongle, and just use that? This way, it isn't yet another crypto standard that the blackhats will cheerfully break.

    • by EvilSS ( 557649 ) on Tuesday July 09, 2019 @01:41PM (#58896996)
      Because it's taken a while for BT to catch up. Logitech actually did switch to BT years ago (including BT dongles), but latency and connectivity issues made them to go back to using their own protocols. I had some of those Bluetooth mice and keyboards and they did suck balls compared to the proprietary dongles. Some recent mice (MX Master 2S and MX Anywhere 2 for example) are again supporting both so hopefully we'll see the dongles die off for good.
      • I just picked up a blue tooth mouse and keyboard for a tablet I have. It's a LogiTech. I don't have any problems with it. There might be a lag the first time I use it after it has been sitting. But after that, no lag at all.
      • by tlhIngan ( 30335 )

        Because it's taken a while for BT to catch up. Logitech actually did switch to BT years ago (including BT dongles), but latency and connectivity issues made them to go back to using their own protocols. I had some of those Bluetooth mice and keyboards and they did suck balls compared to the proprietary dongles. Some recent mice (MX Master 2S and MX Anywhere 2 for example) are again supporting both so hopefully we'll see the dongles die off for good.

        Bluetooth works, kinda sorta.

        I've used Bluetooth keyboard f

  • I have several friends and family who suffer from schizophrenia. They are not "crazy" in general, they just have difficultly sometimes distinguishing reality from fantasy or understanding the relative importance or priority of events in their lives. Most of the time, the things my friend will say when he's really upset are just ideas/fears he's got manifesting in extreme ways. However, one time he called me after a bit to drink and said he'd thrown away all his wireless devices. He threw away two sets of mo
  • Comment removed based on user account deletion
  • The attacks require either physical access or the interception of the pairing process (which doesn't even take place most of the times, because Unifying devices are typically sold with a pre-paired receiver).
    • by huiac ( 912723 )
      Mostly correct, but it's not clear that receivers are "pre-paired" with the devices they are sold with. My assumption was always that the devices are sold "blank", and firmware tells them to automatically pair with the first device that asks; "combo" devices may get slightly different firmware (s/first/first and second/), but it seems simpler, cheaper and more reliable than programming IDs into each one, then making sure they get packed together.

No spitting on the Bus! Thank you, The Mgt.

Working...