
Update Your Logitech Wireless Dongle Right Now - goohex
https://lifehacker.com/update-your-logitech-wireless-dongle-right-now-1836382167
======
jlgaddis
There's no point in updating, apparently. Not yet, anyways -- well, unless you
haven't installed the firmware updates that fixed the last round of
vulnerabilities (2016).

Fortunately for Logitech customers, _one_ of the three vulnerabilities should
be getting fixed in a future firmware update -- possibly as soon as next
month.

The other two have been deemed WONTFIX because " _thise would negatively
impact interoperability_ ".

Luckily, you can easily protect yourself against these other two -- just don't
ever let anyone touch your computer or come within 10m (30ft) of it and you've
got nothing to worry about.

> _Two of them relate to extracting the encryption key that secures the
> communication between the Logitech device and the Logitech Unifying USB
> receiver. The third one relates to overcoming the barriers to keystroke
> injection between the device and the USB receiver._

There's plenty of downplaying the vulnerabilities (three of them, four CVEs)
in this advisory -- several times they claim that only a sophisticated hacker
with "special equipment and skills" would even be capable of exploiting these
vulnerabilities -- even though the first comment here linked to a PoC.

Also, this link might be a bit more appropriate for the HN crowd:
[https://github.com/mame82/UnifyingVulnsDisclosureRepo](https://github.com/mame82/UnifyingVulnsDisclosureRepo)
(a "summary / overview" from the security researcher).

------
XORcat
And if you wanted a proof of concept[1] to scare the pants off of you, I'm
here for you.

[1]:
[https://github.com/insecurityofthings/uC_mousejack](https://github.com/insecurityofthings/uC_mousejack)

