Three years and a half ago, a security researcher broke into my laptop without having to touch it. He did not even need his network address. All he had to do was figure out Logitech's small USB receiver, run a few lines of code, and start writing things which appeared on my screenIt could erase my hard drive, install malicious software, or even worse, as if it had physical access to my computer.
It was the kind of hack I was laughing at in a terrible hacker movie – a kind that looks too comfortable * to exist.
But when I wrote about the so-called. "MouseJack" hack in 2016, I thought it was. I gave the matter a major technology post for news, many people were reading about it, and Logitech has already released a patch.
But now I know that the world still can not get rid of MouseJack.
Earlier this week, security researcher Marcus Mengs has revealed that Logitech's wireless unifying devices are actually vulnerable to a variety of newly discovered hacks, primarily those that are associated with presentation clickers, or during a short window of opportunity when connecting a new mouse or keypad to the key. I do not think much of this – Logitech peripherals come pre-coupled and you have to be a very lucky hacker to know exactly when someone has lost a dongle (or a mouse) and creates a new one.
Something else in Meng's (and ZDNetBut it attracts my attention – a statement that Logitech is still selling USB devices vulnerable to original MackJack hack.
I contacted Mark Nuilin, the Bastille researcher, who initially hacked me in 2016, and he immediately confirmed the report: Just recently bought a Logitech M510 mouse that still came with a vulnerable lock.
That's why I spoke with Logitech and one representative admitted that these unordered dungels can still be on the market. In fact, Logitech says it has never recalled any products since the original hacker in 2016: t
Logitech assessed the business and consumer risk and did not initiate the download of products or components already on the market and supply chain. We made the firmware update to all customers who were particularly interested, and we introduced changes to the products that were later manufactured.
Logitech has made a "fixation phase" for newly produced products, but a representative said he could not confirm yet when the changes were made at the factory.
Not that we must necessarily point out Logitech, keep in mind. According to Newlin, MouseJack has hit devices from Dell, HP, Lenovo and Microsoft, and possibly others who have used the same Nordic and Texas Instruments chipsets and firmware for their wireless receivers. Since Logitech allows you to update the Unifying dongles firmware, they are better than most.
But that's why Logitech's levers can be an inexpensive and easy way to start the attack – in 2016, Newlin showed me that the Logitech Unifying Receiver itself can be used as a radio to smell and other keys are hacked, although he says that this $ 34 Crazyradio has a much better range.
All this has to be said that if you have a Logitech wireless mouse, keyboard or clicker, you'll probably need to fix it now – and maybe again in August when Logitech is going to make further adjustments. The old Logitech support pages for MouseJack have disappeared, but here is the update link for each Unifying Receiver, and here is the one if you have a G900 game mouse.
Logitech's recommendation also:[A]This is the best practice we always recommend to people to update their wireless unifying USB receivers with our latest firmware. "
* In 2016, I was quite skeptical. That's why I provided my laptop and my own Logitech key for Bastille to demonstrate it for me.