Logitech keyboards and mice vulnerable to eavesdropping and remote attacks:
Wireless keyboards and mice vulnerable to eavesdropping and remote attacks.
(notice lack of "Logitech")
Maybe it was just one vendor, but experience tells that any proprietary protocol that a vendor comes up with behind closed doors is very likely to be terribly broken. And wireless keyboards are supposed to be cheap, which only amplifies the effect.
In theory, it's possible to do it right, but the odds are so low...
@fribbledom @RandomDamage @Wolf480pl I’ve *never* seen a Logi mouse encrypt squat. And the encryption used by any Logi keyboard I’ve owned is simplistic. Wireless devices are only secure within a Faraday cage, and those are nearly never used. Best to use wires unless you know what you’re doing or doing nothing useful or private at all.
Can you sniff anything on USB other than your own traffic?
OTOH, if you could force a reconfiguration and add new interfaces to your device, like a keyboard and a mass storage, that could be plenty useful. But that requires an RCE on the dongle, and the dongle to have a powerful enough CPU that you can pull this off.
Sounds like effort.
@fribbledom Shit. Guess I'm looking for a different mouse to get then.
@fribbledom I always use wired equipment.
@fribbledom All we have are these Logitech devices. LOL! There is no vulnerabilities! The problem is too vast and untenable. Everything is FIIIIIINE. **structural timbers on fire start to drop** ;)
@fribbledom If I only have a mouse, is it still possible to make it impersonate a keyboard?
You know that's a great question! I don't know the definitive answer, and could see arguments for both sides, but I'll boost your toot, in case someone else has more insight.
@mansr @fribbledom https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices just unplug this crap until proven safe.
@fribbledom Under Linux, the "unifying receiver" shows up as multiple input devices: Keyboard, Mouse, Consumer Control, and System Control. The mouse device reports only motion and button events. If only the mouse device is used by applications, one would think they might be shielded from injected keypress events. Or if not, modifying the kernel driver to discard non-mouse input from the receiver should be easy enough.
Sure, that doesn't mean it can automatically be exploited by sending some magic command to the mouse, though.
You're right though, it should be fairly trivial to block it in the kernel.
Not at all surprised.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!