Logitech is leaving at least two vulnerabilities unpatched as fixes would likely impact device functionality.
All Logitech USB receivers with Unifying radio tech are affected
The company has been using Unifying radio tech since 2009
Logitech recommends keeping USB receivers and connected machines safe
A security researcher has found vulnerabilities in the USB receivers used by Logitech wireless keyboards, mice, and presentation clickers. These vulnerabilities can allow a malicious party to not only eavesdrop on keystrokes, but also inject their own keystrokes, letting them effectively take over the computer connected to the USB receiver. According to an online report, all Logitech wireless input devices using Unifying radio technology are affected by the vulnerabilities. The company has been shipping products using Unifying radio technology since 2009.
According to a report in German publication c’t, security expert Marcus Mengs identified the Logitech vulnerabilities and he has been working with the company to get them patched. However, it seems company will not be patching all the issues, just some of them, as patching all would likely impact the compatibility between devices using Unifying radio technology.
Logitech uses Unifying radio technology in a number of products, ranging from entry-level devices to high-end models. The technology allows up to six compatible input devices to be used with a single Unified receiver. The affected USB receivers can be easily identified by looking for a small orange star logo.
c’t writes that there are two key vulnerabilities that Logitech doesn’t plan to fix – CVE-2019-13053 and CVE-2019-13052. While the CVE-2019-13053 vulnerability lets an attacker to inject any chosen keyboard input into the encrypted radio traffic without knowing the cryptographic key used, the CVE-2019-13052 flaw can allow an attacker to decrypt the encrypted communication between the input devices and the host computer, if they have recorded the pairing between input device and host computer.
Logitech does plan to patch CVE-2019-13055 and CVE-2019-13054 vulnerabilities in a fix that will be released in August. Both vulnerabilities allow an attacker to extract the cryptographic key used by the USB receiver, thereby giving them access to connection.
For other vulnerabilities that the company doesn’t plan to patch, it recommends “a computer (with a USB receiver) should always be kept where strangers cannot physically access or manipulate it. In addition, users should take common security measures to make it more difficult for others to access it.”