Logitech Unifying USB Receivers Open to Key Injection Attacks

Image: MiNe / Editing: BleepingComputer

Four new vulnerabilities were found to affect all Logitech's Unifying USB receivers that allow users to connect up to six different compatible Logitech wireless presentation remotes, mice, and keyboards to the same computer via a 2.4 GHz radio connection.

Security researcher Marcus Mengs discovered that the flaws are caused by Logitech dongles' outdated firmware and that they allow attackers with physical access to their targets' computers to exploit the bugs and launch keystroke injection attacks, record keystrokes, and take control of compromised systems.

Out of the four vulnerabilities found by Mengs, Logitech confirmed that they'll only fix two of them, with the rest to remain unpatched until the company has a change of mind in the future:

CVE-2019-13054 and CVE-2019-13055 - vulnerabilities that will get a patch in August 2019
CVE-2019-13052 and CVE-2019-13053 - vulnerabilities that won't be fixed

The CVE-2019-13054 (impacts Logitech R500, Logitech SPOTLIGHT) and CVE-2019-13055 (affects all encrypted Unifying devices with keyboard capabilities) security flaws that Logitech plans to patch allow attackers with physical access to the targeted machine to "actively obtain link encryption keys by dumping them from receiver of Unifying devices."

Exploiting CVE-2019-13055 was demonstrated by Mengs in a demo attack against a Logitech K360 keyboard through which he was able to dump AES keys and addresses from all paired devices, subsequently allowing for eavesdropping on and decrypting of Radio Frequency (RF) transmissions in real-time.

"With the stolen key, the attacker is able to inject arbitrary keystrokes (active), as well as to eavesdrop and live decrypt keyboard input remotely (passive). This applies to all encrypted Unifying devices with keyboard capabilities (f.e. MX Anywhere 2S mouse)," says Mengs.

"Additionally, there is no need to discover the device "on air" to carry out a keystroke injection attack, as the address is pre-known from the extraction (targeted attack possible, the actual device doesn't have to be in range - only the receiver)."

A video demo of a CVE-2019-13054 attack is also provided by Mengs, showing how a Logitech R500 presentation clicker makes it possible for attackers to discover the AES key, allowing them to launch a keystroke injection attack.

While the researcher says that the attacks are limited by the fact that "the receiver of affected presentation remotes filters out some keys, like A to Z," according to the NVD advisory, "on Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z."

The two flaws that will not be fixed according to Logitech, CVE-2019-13052 and CVE-2019-13053, also require attackers to have physical access and both of them impact all Logitech Unifying devices.

Exploiting the CVE-2019-13052 vulnerability will enable attackers to "passively obtain Logitech Unifying link encryption keys by capture of pairing" between the receiver and the Logitech wireless device as detailed by Mengs.

"With the stolen key, the attacker is able to inject arbitrary keystrokes (active), as well as to eavesdrop and live decrypt keyboard input remotely (passive)," added the researcher.

Mengs also published a video demo showing how a K400+ keyboard can be exploited using this vulnerability to sniff the pairing and eavesdropping keystrokes.

In the case of CVE-2019-13053, the NVD advisory says that attackers "must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission."

However, unlike in the case of the other flaws, "physical access is only required one time. Once the data has been collected, arbitrary keystrokes could be injected, when and as often as the attacker likes."

It's also important to note that this vulnerability stems from an incomplete fix for CVE-2016-10761, one of the MouseJack vulnerabilities discovered by Bastille back in 2016 which impact "the vast majority of wireless, non-Bluetooth keyboards and mice" and allowed "injecting unencrypted keystrokes into a target computer."

Meng's report on the Logitech dongle vulnerabilities he found is available HERE, and it includes full bug descriptions, references, and links to all video demos for all possible attacks.

BleepingComputer has reached out to Logitech for further details on why two of the vulnerabilities will not be patched but had not heard back at the time of this publication. 

Thx to Ron for the tip!

Related Articles:

New acoustic attack determines keystrokes from typing patterns

New acoustic attack steals data from keystrokes with 95% accuracy

Widely used modems in industrial IoT devices open to SMS attack

Google fixes fifth Chrome zero-day exploited in attacks this year

Citrix warns admins to manually mitigate PuTTY SSH client bug