Independent security researcher Marcus Mengs has published information about a series of vulnerabilities in Logitech equipment.
The bugs allow an attacker to intercept data that arrives on a vulnerable device, unnoticeably for the victim to introduce keystrokes and take control over computer.Mengs’s study deals with USB dongles that connect wireless keyboards, mice, and trackballs to a computer. According to the expert, many users mistakenly consider the input devices themselves to be vulnerable, while the real threat lies in the receiver.
“To imitate keystrokes, the hacker doesn’t need an input device, because he will mask himself. For an attacker required equipment connected to the adapter, only to find out if he has a keyboard input function and whether it encrypts data before sending it to the receiver”, – Mengs explained.
The researcher also stresses that the ability to emulate keystrokes present in many wireless mice, presentation control panels, and other “non-obvious” gadgets. Therefore, the offender can enter data through these receivers. Additionally, in most cases, such an attack is completely invisible to the owner.
According to Mengs, the vulnerabilities affect all Logitech USB dongles that use their own 2.4GHz Unifying radio technology to communicate with wireless devices.
Unifying is one of Logitech’s standard dongle radio technology, and has been shipping with a wide array of Logitech wireless gear for a decade, since 2009. The dongles are often found with the company’s wireless keyboards, mice, presentation clickers, trackballs, and more.
Mengs discovered four new vulnerabilities. Bug CVE-2019-13053 allows an attacker, without knowing the key, to fool the dongles that receive data in encrypted form. Technically, this is a new variation of the CVE-2016-10761 vulnerability associated with the reuse of AES CTR counter values.
Unlike the bug of 2016, to exploit a new vulnerability, an attacker would need at least once to gain physical access to the input device. He will have to press from 12 to 20 keys to generate a sufficient amount of encrypted traffic, the decryption of which he knows. Vendor said he was not going to release a patch to this bug.
CVE-2019-13052 is associated with a weak data exchange mechanism when pairing devices. An attacker can get the encryption keys used by the adapter if it intercepts the information transmitted between the dongle and the input device.
After that, he will be able to monitor all traffic between these devices — for example, read the text typed on the keyboard and send his own commands to the USB dongle. For the user, such intervention will go unnoticed. The expert said that the manufacturer is not going to close this vulnerability.
The bugs CVE-2019-13054 and CVE-2019-13055 are related to undocumented capabilities of the receivers. With their help and with physical access to the target device, an attacker can quickly retrieve the encryption keys. As a result, he will get access to information transmitted from the device, as well as be able to simulate keystrokes himself. Bug CVE-2019-13054 also allows you to bypass the ban on entering alphabetic characters that is present in some consoles for presentations. Developers plan to eliminate this threat in the near future.
Moreover, according to Mengs, many Logitech devices are still vulnerable to attacks from MouseJack bugs. Recalling, in 2016 it turned out that wireless mice allow anyone to connect to the receiver without using encryption.
