Vulnerabilities in Logitech USB dongles could allow attackers to take over target computers

• The vulnerabilities impact all Logitech USB dongles that use the company’s “Unifying” 2.4 GHz radio technology to communicate with wireless devices.
• The vulnerabilities could allow an attacker to sniff on keyboard traffic, inject keystrokes, as well a take over a computer on which the dongle is connected.

A security researcher named Marcus Mengs publicly disclosed four new vulnerabilities in the Logitech wireless USB dongles that could allow an attacker to take over a computer on which the dongle is connected.

What is the impact?

The vulnerabilities impact all Logitech USB dongles that use the company’s “Unifying” 2.4 GHz radio technology to communicate with wireless devices such as keyboards, mice, presentation clickers, trackballs, and more.

• The vulnerabilities could allow an attacker to sniff on keyboard traffic, inject keystrokes, as well a take over a computer on which the dongle is connected.
• The vulnerabilities also allow an attacker to bypass the ‘key blacklist’ security protection system that prevents a paired device from injecting keystrokes.

Flaw in wireless pairing

The first vulnerability tracked as CVE-2019-13052 impacts all Logitech Unifying USB dongles that support a keyboard input feature.

This vulnerability allows an attacker to capture the pairing between a Unifying dongle and a Logitech wireless accessory and recover the key used to encrypt traffic between the two components. With the recovery key, attackers can inject arbitrary keystrokes, eavesdrop, and remotely live decrypt keyboard input.

Additionally, an attacker with physical access to the dongle could manually initiate a re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key. This can be done by simply unplugging and re-plugging the USB dongle.

Keystroke injection flaw

The second vulnerability tracked as CVE-2019-13053 could allow an attacker to inject keystrokes into the encrypted communications stream between a USB dongle and a Logitech device, even without the need for the encryption key.

However, for this to work, attackers need physical access to a device. Once attackers gain physical access and collect the required cryptographic data, they can inject arbitrary keystrokes.

“Physical access is only required one time. Once the data has been collected, arbitrary keystrokes could be injected, when and as often as the attacker likes,” Mengs said.

The researcher stated that this vulnerability exists due to an incomplete fix for one of the infamous MouseJack vulnerabilities (CVE-2016-10761).

Impact on other devices

The third vulnerability tracked as CVE-2019-13054 is used as an identifier for the vulnerability's impact on Logitech R500 and Logitech SPOTLIGHT presentation clickers. On the other hand, the fourth vulnerability (CVE-2019-13055) is used for all other Logitech devices using a Unifying dongle.

Both these vulnerabilities require physical access to a Logitech Unifying dongle for successful exploitation.