[German]Wireless keyboard and mouse models from Logitech as well as wireless Presenters from this vendor are vulnerable. There are serious security issues in the wirelessly connected devices. The vendor plans to patch only a few vulnerabilities.

Advertising

Advertising

It’s an arsenal of Logitech peripherals that can be wirelessly connected to computers. All these peripherals use the same Unifying-USB radio receiver for pairing. And this radio connection can be attacked via vulnerabilities in the transmission protocol.

Data surveillance and command injection possible

Due to the vulnerabilities, it is possible to penetrate the data communication of these peripheral devices and monitor the data. This would make it possible for an attacker to record keystrokes, and if necessary passwords, entered via a wireless keyboard.



(Source: Pexels Markus Spiske CC0 Lizenz)

Alternatively, it is possible for attackers to identify themselves as peripheral devices via the radio connection and then send their own commands to the computer. In this way, a system could be compromised.

Security expert uncovers the vulnerabilities

The vulnerabilities were discovered by security expert Marcus Mengs, who shared his findings with German news magazine heise. According to heise, all Logitech devices using Unifying radio technology in the 2.4 GHz range are vulnerable. These unifying-USB receivers have been shipped with wireless keyboards and mice on entry-level and top-of-the-range products since 2009. Affected USB receivers can be identified by a small orange logo with a star printed on the case (see also the following tweet).

Advertising

Advertising

If you want to determine if your Logitech dongle is vulnerable (using the Unifying RF tech), all vulnerable dongles have this orange star on their side. pic.twitter.com/sSTiE2H2ik — Catalin Cimpanu (@campuscodi) 9. Juli 2019

The vulnerabilities was published in the context of a coordinated disclosure, i.e. Logitech is informed about the facts. Marcus Mengs has put the relevant information on GitHub, as you can see from this tweet.

The GitHub article discusses in detail, which vulnerability may be misused for attacks. So wireless mice and presenters can also pretend to be ‘wireless keyboards’ and send commands to the paired computer. The vulnerability of Logitech peripherals depends on the patch status of the components. Marcus Mengs already published a proof of concept including video on Twitter in February 2019.

Logitech Unifying PoC2: After the PoC of eavesdropping a fully patched link encrypted Unifying device, here’s another one for Keystroke injection on hardware where MouseJack issues have been addressed with current patcheshttps://t.co/t3wOHkTvdE — Marcus Mengs (@mame82) 12. Februar 2019

Since Logitech was still investigating the whole thing at the time, Mengs had not disclosed any further details at the time. In a series of tweets, Mengs published his timeline for release.

Announcement: Disclosure timeline for material from Logitech vulnerability research: — Marcus Mengs (@mame82) 27. Juni 2019

2) Hardwaretool LOGITacker, about 2 weeks

– firmware for nrf52840 dongle

– no external software needed

– forced pairing

– sniff device pairing and derive encryption keys

– encrypted and plain keystroke injection

– devices discovery and storage

– bypass for input filters

– source — Marcus Mengs (@mame82) 27. Juni 2019

Problem: Outdated firmware, known since 2016

Here an example, where the hare lies partly in the pepper. Logitech wireless keyboards encrypt their keystrokes before they are sent to the recipient. Even a custom AES CTR implementation is used to prevent an attacker from feeding arbitrary keystrokes. The implementation of Unifying receivers with outdated firmware has several problems:

The receiver does not force incrementation of the AES CTR counter for successive RF frames. This allows repeat attacks and reuse of the counter with a modified ciphertext.

If the plain text of a keystroke on an encrypted keyboard RF frame is known, an attacker could use it to calculate or recover the key used to encrypt the frame with that specific counter.

To cut a long story short: Finally, the attacker is able to modify the respective RF frame with new plain text (other keystrokes). In combination with the possibility to reuse the counter, the attacker could inject arbitrary keystrokes into the radio connection. The problem exists with Unifying receivers that have not been patched against the vulnerability. This vulnerability has already been called “KeyJack” by Bastille-Research in 2016. So this is a good example of a vulnerability that does not depend directly on the device.

To help in a discussion, excerpt from material which will be disclosed on Thursday pic.twitter.com/xRUAmVC5yg — Marcus Mengs (@mame82) 8. Juli 2019

Mengs has now started to publish more information and graphics on Twitter, as shown in the tweet above.

Wireless Presenter also vulnerable

I had noticed it a few weeks ago, and blog readers had pointed it out to me, but haven’t published an article within my blogs. But also Logitech’s Wireless Presenter are attackable via radio and has the same vulnerabilities discussed above. According to Mengs, most Logitech presentation clickers (e.g. R400, R700, R800) accept simple keystrokes.

The only thing an attacker needs is the actual device is the RF address used from a periphal. This address could be detected by monitoring RF traffic (pseudopromiscuous mode as suggested by Travis Goodspeed or Software Defined Radio). Once the address is known, the attack can be carried out directly. Details can also be found in the recently published GitHub article.