|
With my wireless keyboard came a two inch usb extension thing for the receiver because apparently some usb 3 ports interfere in the 2.4ghz spectrum. So maybe the ports at the back are better shielded, or are usb 2, or you only tried them with an extension and not the front ones or something like that. If it happens in a non-wireless mode, then it's something else, probably.
|
#
?
Mar 13, 2025 12:42
|
|
|
|
| # ? Mar 15, 2025 08:56 |
|
|
Thanks Ants posted:It's probably wireless interference with the radios being so close to each other. Hang the receiver on the end of a short USB extension and your problems might magically go away.
|
|
#
?
Mar 13, 2025 16:30
|
|
|
Some real Final Fantasy-style naming with “Unifying Receiver”
|
|
#
?
Mar 13, 2025 16:35
|
|
|
Aunt Beth posted:why should they stick to one dumb proprietary protocol for longer than 2 years The reason is that the unifying receiver can be trivially exploited to control your computer. I've witnessed this firsthand at work, with some pentesters that were able to trigger a fully patched machine to download and install a dropper so quickly that even a room full of people watching the screen for activity didn't see anything happen. https://www.bleepingcomputer.com/news/security/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/ Please pull that thing out of your computer 
cruft fucked around with this message at 16:42 on Mar 13, 2025 |
|
#
?
Mar 13, 2025 16:39
|
|
|
cruft posted:The reason is that the unifying receiver can be trivially exploited to control your computer. I've witnessed this firsthand at work, with some pentesters that were able to trigger a fully patched machine to download and install a dropper so quickly that even a room full of people watching the screen for activity didn't see anything happen.  Those are in literally every single PC at work.
|
|
#
?
Mar 13, 2025 17:02
|
|
|
Dick Trauma posted:
Yeah, us too. When I hired on two years ago, I was like "that's weird, I thought these were known exploitable, I guess they found a workaround that I wasn't aware of!" They had not found a workaround. I should have said something.
|
|
#
?
Mar 13, 2025 17:04
|
|
|
Wasn't there a firmware update tool released to fix them?
|
|
#
?
Mar 13, 2025 17:13
|
|
|
cruft posted:https://www.bleepingcomputer.com/news/security/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/ Privately and professionally, oh gently caress.
|
|
#
?
Mar 13, 2025 17:29
|
|
|
Yes! By policy our company provided keyboard and mice are all wired. Suck it Logitech!
|
|
#
?
Mar 13, 2025 17:35
|
|
|
Huh. I keep one of those around because my wireless keyboard refuses to connect via BT no matter what I try. Guess might be time to look for something else. Not that many people are probably trying to hack my PC at home through Logitech receivers lol
|
|
#
?
Mar 13, 2025 17:41
|
|
|
Chronojam posted:Wasn't there a firmware update tool released to fix them? I think there have been several since the initial problematic finding in... 2019? 2016? a while ago. My guess is that the Bolt receiver exists because the Unifying was such a hot mess they decided it would be better to just start over from scratch with a better wireless protocol. I don't have any evidence that this is the case, other than watching in horror as the pentesters wirelessly installed malware on that box last year. site posted:Not that many people are probably trying to hack my PC at home through Logitech receivers lol Never underestimate the destructive power of a teenage boy who recently found a new way to vandalize things.
|
|
#
?
Mar 13, 2025 17:54
|
|
|
cruft posted:I think there have been several since the initial problematic finding in... 2019? 2016? a while ago. So, is there a way to determine my risk here? I have a ton of these things. I did get warnings on my linux box to upgrade the firmware, but haven't seen the same on my windows devices, which makes me wonder why I haven't.
|
|
#
?
Mar 13, 2025 18:07
|
|
|
Bone Crimes posted:So, is there a way to determine my risk here? I have a ton of these things. I did get warnings on my linux box to upgrade the firmware, but haven't seen the same on my windows devices, which makes me wonder why I haven't. The advice we gave out at work is that if you see an orange icon on the thing, it needs to come out. If you see a green icon, you're good. We are now in the process of going through all 16,000 workstations to forcefully remove any of them with an orange icon, and help people get set up with a replacement mouse/keyboard that uses the green icon. It's possible Windows installed the firmware update without telling you. It might even be likely. To the best of my knowledge, the firmware update isn't going to fix the constellation of vulnerabilities, it only fixes a few. Information on this seems kind of scarce, though. For all I know, the pentesters just happened to find something with old firmware. It's equally likely the firmware was up to date and all Unifying receivers are problematic. I'm inclined to believe the latter, but, again, the only solid information I have is some old blog posts and Logitech moving to an entirely new system that is functionally indistinguishable from the older one. That's not the kind of R&D you invest in without a good reason. e: wait, the Bolt receiver is just Bluetooth Low-Energy? I guess that lets the keyboard work during POST, but LOL. I'll just pull mine out of the hub now and free up the slot. ee: okay, I have read more technical information on the Logi Bolt dongle, and it does have a couple of advantages over BLE to the host OS. I'm going to keep mine plugged in on my work machine, and if you have a spare slot, I'd advise you to go ahead and use it. But I would also advise you to not wring your hands about it: Bluetooth to the host OS is going to maybe be a fraction of a millisecond more laggy, and doesn't get quite as heavy encryption, but is still nice and snappy, and is still encrypted with no published exploits. cruft fucked around with this message at 18:36 on Mar 13, 2025 |
|
#
?
Mar 13, 2025 18:22
|
|
|
This conversation made me wonder if my mouse was up to date, so I checked and it was not, so I updated my mouse, and I hated the whole thing
|
|
#
?
Mar 13, 2025 19:09
|
|
|
cruft posted:The advice we gave out at work is that if you see an orange icon on the thing, it needs to come out. If you see a green icon, you're good. Thanks for all this. I just did a check and we have 7 computers using logitech dongles in the house, and 5 of them have an orange icon. The other 2 don't have a icon (orange or green), but say 'Logi' on the end, so they are probably another whole investigation. The two we have in linux machines were previously in windows machines, and did not have the firmware updated (as far as ubuntu was concerned), they are now updated to RQR24.10_B0036. So I don't think that windows updated/updates the firmware. I can do some more experiments, but I'm loathe to install the Logi software, so maybe that will be swapping to the Linux machines temporarily. I also can't seem to confirm what the latest version of the firmware should be - is RQR24.10_B0036 the 'best' version for my device? It's funny, I've been avoiding BTLE mice/keyboards, because the old logitech stuff just worked fine, and we had a bunch of receivers and mice, and just kept them going in our ecosystem. So now I have to consider: should I trust these orange dongles with B0036? or update everything in the house?
|
|
#
?
Mar 13, 2025 20:02
|
|
|
is there a way to see if the firmware needs updating on the unifying receiver (orange) without installing the logi software lol
|
|
#
?
Mar 13, 2025 20:11
|
|
|
site posted:is there a way to see if the firmware needs updating on the unifying receiver (orange) without installing the logi software lol Yes! Apparently, you can plug them into a Linux system  (See thread title)
|
|
#
?
Mar 13, 2025 20:20
|
|
|
All I wanted to do was bitch about two dongles and now I’ve caused A Project at work. Now I have two dongles and A Project. Sigh.
|
|
#
?
Mar 13, 2025 20:27
|
|
|
I'm honestly struggling to come to terms with the fact that a flippant comment about your dongles and a 6-year-old exploit resulted of a page of goons in full crisis mode.
|
|
#
?
Mar 13, 2025 20:32
|
|
|
Seeing so many other people go "wait, WHAT" makes me feel better about $EMPLOYER having a fleet of exploitable hardware, at least.
|
|
#
?
Mar 13, 2025 20:34
|
|
|
so it looks like that windows just installs generic drivers for the receiver and the device (mouse/keyboard) They are old drivers, from 2006.  The receiver is also generic. Digging deeper into the properties doesn't yield anything useful.  So I went searching for the 'new' Logitech software to manage this - evidently the one I needed for this particular device, an M220 in this exact case, is a new one (to me) called 'Logitech Options' It is a Quarter Gigabyte download. Before doing that, I googled if it would update the firmware, or at least check it. Internet says no.  So I went looking for a firmware updater or something similar on the Logitech site, and found one - there only seems to be one discoverable via their search tool. I was a little put off as there are a limited set of devices listed, but surely those are only the new devices that are included in this latest revision, and not the full list that this software can update, right?  No:  So I did find a page on the Logitech site: https://support.logi.com/hc/en-us/articles/360026159553-Logitech-Unifying-Receiver-Update that has a description (more of an apologia and how it's not a big deal) and links to firmware update tools. Which are all broken - except to https://fwupd.org/ which is the linux firmware group. 5 star work everyone.. Just stellar.
|
|
#
?
Mar 13, 2025 21:14
|
|
|
Okay Bone Crimes, I dug some more.security researcher posted:1) PoC1 - Sniff pairing and recreate AES keys for a Unifying device, in order to live decrypt keyboard RF traffic (CVE-2019-13052) https://github.com/mame82/UnifyingVulnsDisclosureRepo While this still isn't definitive proof, it reinforces my suspicion that the Bolt receiver was created because the Unifying receiver architecture couldn't be fixed. e: I've read the technical reports now. The researcher was only able to grab the keys while devices were pairing, which jibes with Logitech's official statement. So if you're feeling bold, you can continue using your devices at home, as it's unlikely the punk down the street is going to the lengths necessary to find further exploits. If you have these at a business, I recommend spending some time considering whether you're willing to accept the risk of keystrokes going over a wireless link that hasn't gotten a firmware update in 6 years. If you are a government, or an aerospace/defense company, you had damned well better get rid of these things. cruft fucked around with this message at 21:41 on Mar 13, 2025 |
|
#
?
Mar 13, 2025 21:33
|
|
|
Bone Crimes posted:[the only way to update the Logitech Unifying Receiver firmware is with Linux] Can't resist... see thread title.
|
|
#
?
Mar 13, 2025 21:43
|
|
|
Huh, I guess my wireless mouse&kb combo I bought like 15 years ago used for 20€ has one of those too. Are there any safer alternatives where you have a wireless keyboard+mouse in the same package? Mouse should ideally be a touchpad.
|
|
#
?
Mar 13, 2025 21:46
|
|
|
Ihmemies posted:Huh, I guess my wireless mouse&kb combo I bought like 15 years ago used for 20€ has one of those too. Laugh if you must, but the Logitech Bolt stuff seems pretty tight. Given that there was apparently no way to fix the older technology, I've got to give them credit for investing in the R&D for a whole new solution. I'm personally using the MX Keys Mini and MX Master 3S at work, and a Pop mouse for my personal stuff.
|
|
#
?
Mar 13, 2025 21:54
|
|
|
I mean I only need one thing which should have both the keyboard and the mouse. I think what I have is Logitech K400. Reddit told about a HP kb+m but it is very expensive and most likely impossible to find with a Nordic layout. https://www.ebay.com/p/20067283587
|
|
#
?
Mar 13, 2025 22:00
|
|
|
I was wondering what the deal was with the unifying receiver being discontinued and the MX Master 3 using a new stupid dongle when I was looking into upgrading from my 2S with a busted side button that's a whole exciting tale and a half in itself (Logitech is selling shittily designed, but incredibly expensive mice which will inevitably fail in a way that makes them almost unusable because of a button getting stuck and this resulting in the mouse getting stuck in directional gesture mode). Good to know it was incredibly stupid but not in the way I expected.
|
|
#
?
Mar 13, 2025 22:16
|
|
|
Ihmemies posted:I mean I only need one thing which should have both the keyboard and the mouse. I think what I have is Logitech K400. Reddit told about a HP kb+m but it is very expensive and most likely impossible to find with a Nordic layout. I dunno, any modern Bluetooth keyboard will implement some encryption. Logitech used to make a combined keyboard/trackpad that I like... with a Unifying receiver
|
|
#
?
Mar 13, 2025 23:56
|
|
|
|
| # ? Mar 15, 2025 08:56 |
|
|
cruft posted:
Thanks, I think in general we probably can tolerate this for most of the machines we have. Though reading through the disclosures, I am not sure I haven't used some very old receivers, so I'm not very confident on my attack surface. We are not pairing/unpairing with any regularity. I will be updating the firmware, and maybe buying some new stuff. I do have one of these on my work machine, and that is ... not good. Looks like I'll be switching keyboards for that one. I'm glad we have 2 factor for everything, as that is a comfort.
|
|
#
?
Mar 14, 2025 00:01
|
|