Three and a half years in the past, a safety researcher broke into my laptop computer with out ever needing to the touch it. He didn’t even want its community deal with. All he needed to do was sniff out my Logitech wireless mouse’s tiny USB receiver, hearth off a couple of strains of code, and begin typing issues that appeared on my display. He may have wiped my arduous drive, put in malware, or worse, a lot as if he’d had bodily entry to my PC.
Practically any Logitech wireless mouse and keyboard was susceptible to this challenge, they stated. It was the sort of hack I’d chortle at in a horrible hacker film — the sort that appears too handy* to truly exist.
But after I wrote about the so-called “MouseJack” hack in 2016, I figured that was that. I’d given the problem consideration in a significant know-how information publication, a number of individuals have been studying about it, and Logitech had already issued a patch.
Yet I’m now studying that the world might not be rid of MouseJack but.
Earlier this week, safety researcher Marcus Mengs revealed that Logitech’s wireless Unifying dongles are literally susceptible to a variety of newly discovered hacks as well, primarily ones which might be paired with presentation clickers, or throughout a short window of alternative when you’re pairing a brand new mouse or keyboard to the dongle. I didn’t assume a lot of that final one — Logitech’s peripherals come pre-paired, and you’d need to be a reasonably fortunate hacker to know precisely when somebody has misplaced their dongle (or mouse) and is organising a brand new one.
Something else in Meng’s report (and ZDNet’s coverage) caught my eye, nonetheless — an allegation that Logitech is nonetheless promoting USB dongles susceptible to the authentic MouseJack hack.
I obtained in contact with Marc Newlin, the Bastille researcher who initially hacked me in 2016, and he instantly corroborated the report: He’d only in the near past bought a Logitech M510 mouse that also got here with a susceptible dongle as nicely.
So I spoke to Logitech, and a rep admitted that these unpatched dongles should still be available on the market. In reality, Logitech says by no means really recalled any merchandise after the unique hack in 2016:
Logitech evaluated the chance to companies and to shoppers, and didn’t provoke a recall of merchandise or parts already out there and provide chain. We made the firmware update out there to any clients that have been significantly involved, and applied modifications in merchandise produced later.
Logitech it did “phase the fix in” for newly manufactured merchandise, however a rep stated they will’t but verify when the modifications have been made on the manufacturing facility.
Not that we should essentially be singling out Logitech, thoughts you. According to Newlin, MouseJack affected units from Dell, HP, Lenovo and Microsoft too, and probably others that used the identical Nordic and Texas Instruments chips and firmware for his or her wireless receivers. Since Logitech lets you update the firmware on its Unifying dongles, they have been higher off than most.
But that’s additionally why Logitech’s dongles could possibly be an inexpensive and simple approach to launch the assault to start with — in 2016, Newlin confirmed me that the Logitech Unifying Receiver itself can be utilized as a radio to smell out and hack different dongles, though he says this $34 Crazyradio has much better vary.
All of that is to say that if you’ve obtained a wireless Logitech mouse, keyboard, or presentation clicker, you should most likely patch it now — and maybe again in August when Logitech can be rolling some further fixes out. Logitech’s previous assist pages for MouseJack are gone, however listed below are the URLs you need:
- For any Logitech unifying receiver: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/SecureDFU_1.0.48.exe
- For the Logitech G900 gaming mouse: https://www.logitech.com/pub/techsupport/gaming/G900Update_1.5.23.exe
Updating is Logitech’s advice too: “[A]s a best practice, we always recommend people update their wireless Unifying USB receivers to our latest firmware.”
*I used to be fairly skeptical in 2016. That’s why I offered my very own laptop computer and my very own Logitech dongle for Bastille to demo it for me.