Three and a half years ago, a security researcher broke into my laptop without ever needing to touch it. He didn’t even need its network address. All he had to do was sniff out my Logitech wireless mouse’s tiny USB receiver, fire off a few lines of code, and start typing things that appeared on my screen. He could have wiped my hard drive, installed malware, or worse, much as if he’d had physical access to my PC.
Practically any Logitech wireless mouse and keyboard was vulnerable to this issue, they said. It was the kind of hack I’d laugh at in a terrible hacker movie — the kind that seems too convenient* to actually exist.
But when I wrote about the so-called “MouseJack” hack in 2016, I figured that was that. I’d given the issue attention in a major technology news publication, lots of people were reading about it, and Logitech had already issued a patch.
Yet I’m now learning that the world may not be rid of MouseJack yet.
Earlier this week, security researcher Marcus Mengs revealed that Logitech’s wireless Unifying dongles are actually vulnerable to a variety of newly discovered hacks as well, primarily ones that are paired with presentation clickers, or during a brief window of opportunity when you’re pairing a new mouse or keyboard to the dongle. I didn’t think much of that last one — Logitech’s peripherals come pre-paired, and you’d have to be a pretty lucky hacker to know exactly when someone has lost their dongle (or mouse) and is setting up a new one.
Something else in Meng’s report (and ZDNet’s coverage) caught my eye, however — an allegation that Logitech is still selling USB dongles vulnerable to the original MouseJack hack.
I got in touch with Marc Newlin, the Bastille researcher who originally hacked me in 2016, and he immediately corroborated the report: He’d just recently purchased a Logitech M510 mouse that still came with a vulnerable dongle as well.
So I spoke to Logitech, and a rep admitted that those unpatched dongles may still be on the market. In fact, Logitech says never actually recalled any products after the original hack in 2016:
Logitech evaluated the risk to businesses and to consumers, and did not initiate a recall of products or components already in the market and supply chain. We made the firmware update available to any customers that were particularly concerned, and implemented changes in products produced later.
...
Originally Posted by Zippyjuan
Reply With Quote
Connect With Us