Earlier this year a security researcher approached Logitech regarding three potential vulnerabilities related to Logitech’s Unifying Receiver.
Three potential vulnerabilities were reported. Two of them relate to extracting the encryption key that secures the communication between the Logitech device and the Logitech Unifying USB receiver. The third one relates to overcoming the barriers to keystroke injection between the device and the USB receiver.
A person trying to replicate these would need expertise and special equipment and to be within 10m range. They would need to act during the few seconds when someone is re-pairing a device to the Unifying receiver, or would need physical access to the target’s device or computer.
These products are concerned by these reports, mice and keyboards using Logitech’s Unifying wireless protocol. You can identify Unifying products by a small orange logo on the wireless USB receiver, featuring a shape with six points. The Spotlight presentation remote and R500 presenter, are also impacted.
In addition, Logitech’s Lightspeed gaming products are concerned by the encryption key extraction vulnerabilities.
Users can update their hardware USB-dongle by going here:
- For PC users: You can download a simple updating tool here: https://download01.logi.com/web/ftp/pub/techsupport/keyboards/SecureDFU_1.0.48.exe.
- For Mac users: We’re working on a secure DFU tool, which will be available by end August, 2019.
- For Linux users: We will distribute the updated firmware via the Linux Vendor Firmware Service at https://fwupd.org/ by the end of August 2019.
- Our enterprise customers can download a centrally deployable tool for PC and Mac here: https://chilp.it/2952ab6.