Logitech will release firmware update for vulnerable Unifying Receiver in August

Logitech will release a firmware update in August that eliminates a security risk of the manufacturer’s Unifying Receivers. In recent weeks, a researcher found various vulnerabilities in the USB dongles, with which users can connect up to six devices.

Security expert Marcus Mengs reported extensively in the past few days about the security problems that would be with the Logitech Unifying Receiver. Outdated firmware could allow attackers with physical access to the hardware to launch a keystroke injection attack. In such an attack, a user’s data input can be recorded, but the computer can also be taken over.

The Logitech Unifying Receiver

The tiny Unifying Receiver is included with many Logitech mice, keyboards and other accessories, and connects the accessories to the computer via a 2.4 GHz radio frequency. Mengs identified four different potential risks. Two, known as CVE-2019-13054 and CVE-2019-13055, will be patched in August, according to Logitech, which considers the two issues as one vulnerability. They cover mice and keyboards that use the wireless Unifying protocol, the Logitech Spotlight and R500 presentation tools, and the Lightspeed gaming products.

Two other vulnerabilities, known as CVE-2019-13053 and CVE-2019-13052, will not be patched. According to Logitech, it is extremely difficult for an attacker to exploit it, especially if the user “protects their privacy with a few simple basics.” For example, Logitech recommends never leaving computers unattended and only pairing new devices if there is “no suspicious activity within ten meters,” the dongle’s typical wireless range. In addition, the manufacturer recommends that the user always install the latest firmware for the Unifying Receiver.