Three and a half years ago, a security researcher entered my laptop without ever touching it. He didn't even need his network address. All he had to do was sniff the small USB receiver of my Logitech wireless mouse, shoot a few lines of code and start writing things that appeared on my screen. It could have erased my hard drive, installed malware or worse, just as if it had physical access to my PC.
It was the kind of trick I would have laughed at in a terrible hacker movie – the kind that seems too convenient * to actually exist.
But when I wrote on the so-called "MouseJack" hack in 2016, I thought it was that. I had been paying attention to the problem in a major technology news publication, many people were reading about it, and Logitech had already published a patch.
Yet now I am learning that the world cannot get rid of MouseJack.
At the beginning of this week, security researcher Marcus Mengs has revealed that Logitech Unifying wireless dongles are indeed vulnerable a variety of newly discovered hacks, mainly those associated with presentation clickers or during a brief window of opportunity when a new mouse or keyboard is associated with the hardware key. I haven't thought much about that last – Logitech's peripherals are pre-paired, and you should be a good hacker to know exactly when someone lost the dongle (or mouse) and is preparing a new one.
Something else in Meng's report (e ZDNetCoverage) caught my attention, however – a statement that is Logitech yet selling USB dongles vulnerable to original MouseJack hack.
I got in touch with Marc Newlin, the Bastille researcher who originally hacked me in 2016, and immediately confirmed the report: he had just purchased a Logitech M510 mouse that still had a vulnerable dongle.
So I spoke to Logitech, and a representative admitted that those unpatched dongles could still be on the market. In fact, Logitech claims that it never recalled any product after the original mod in 2016:
Logitech assessed the risk for businesses and consumers and did not initiate a recall of products or components already on the market and in the supply chain. We have made the firmware update available for all particularly interested customers and implemented changes in the products produced subsequently.
Logitech has "phased the correction" for newly manufactured products, but a representative said they cannot yet confirm when the changes were made at the factory.
Not that we should necessarily choose Logitech, mind you. According to Newlin, MouseJack has also hit Dell, HP, Lenovo and Microsoft devices, and probably others that have used the same chips and firmware as Nordic and Texas Instruments for their wireless receivers. Since Logitech allows you to update the firmware on its Unifying dongles, they were better than most.
But that's also why Logitech dongles could be a cheap and easy way to get started – in 2016, Newlin showed me that the Logitech Unifying Receiver itself can be used as a radio to sniff and hack other dongles , even though he says this $ 34 Crazyradio it has a much better range.
All this to say that if you have a Logitech wireless mouse, a keyboard or a presentation clicker, you should probably correct it now – and maybe again in August when Logitech will make some additional corrections. The old Logitech support pages for MouseJack have disappeared, but here is the link to update any Unifying receiver here is that if you have a G900 gaming mouse.
This is also Logitech's recommendation: "(A) is a good practice, we always advise people to upgrade their USB Unifying wireless receivers to our latest firmware."
* I was rather skeptical in 2016. That's why I provided my laptop and my Logitech dongle for Bastille to prove it for me.