Three and a half years ago, a security researcher broke into my laptop without ever having to touch it. He did not even need his network address. All he had to do was locate the small USB receiver of my Logitech mouse, trigger a few lines of code, and start typing things. who appeared on my screen. He could have erased my hard drive, installed malicious software or worse, much like he had had physical access to my PC.
It was the kind of hack I was laughing about in a terrific hacker movie – the kind that seems too practical * to actually exist.
But when I wrote about the alleged "MouseJack" hack in 2016, I thought it was that. I had drawn attention to this problem in a major technology news publication, many people were reading about it and Logitech had already released a fix.
Still, I'm learning now that the world may not have got rid of MouseJack yet.
Earlier this week, security researcher Marcus Mengs revealed that Logitech's Unifying wireless dongles are also vulnerable to a slew of recently discovered hackers, mostly those associated with presentation cliquors, or for a brief window. of opportunity when you associate a new tool. mouse or dongle keyboard. I did not think too much about the last one. Logitech's devices are already paired and you have to be a lucky cracker to know exactly when a person has lost his dongle (or mouse) and installs a new one.
Something else in Meng's report (and ZDNetThe cover) caught my attention, however – an allegation that Logitech is again sell vulnerable USB dongles to the original MouseJack hack.
I contacted Marc Newlin, the Bastille researcher who had hacked me in 2016, and he immediately corroborated the report: he had just bought a Logitech M510 mouse with a dongle also vulnerable.
I have therefore spoken to Logitech, and a representative admitted that these unprotected dongles could still be on the market. In fact, Logitech said it never recalled products after the initial hacking of 2016:
Logitech has assessed the risk for businesses and consumers and has not initiated a recall of products or components already on the market and in the supply chain. We made the firmware update available to all customers who were particularly affected and implemented the changes made to the products that were manufactured later.
Logitech has "integrated the patch" for newly manufactured products, but one representative said they can not yet confirm when the changes were made to the plant.
Not that we should necessarily choose Logitech, notice. According to Newlin, MouseJack also affected devices from Dell, HP, Lenovo and Microsoft, as well as probably others who used the same chips and firmware from Nordic and Texas Instruments for their wireless receivers. Since Logitech allows you to update the firmware of its Unifying dongles, they were better off than most others.
But that's also why Logitech's dongles could be a simple and economical way to launch the attack. In 2016, Newlin showed me that the Logitech Unifying Receiver itself could be used as a radio to detect and hack other dongles. says that $ 34 Crazyradio has a much better range.
All of this to say that if you have a Logitech wireless mouse, keypad or presentation switcher, you should probably fix it now – and maybe again in August, when Logitech introduces additional patches. The old Logitech support pages for MouseJack have disappeared, but here is the link to update any Unifying receiver, and the one if you have a G900 gaming mouse.
This is also Logitech's recommendation: "[A]It is a recommended practice, we always recommend people to update their Unifying USB wireless receivers with our latest firmware. "
* I was quite skeptical in 2016. That's why I provided my own laptop and my own Logitech dongle in Bastille for a demonstration.