Back in 2016, The Verge’s Sean Hollister flagged a zero-day vulnerability to Logitech. According to Hollister, due to a factory defect, Logitech’s wireless dongle is susceptible to takeover attacks.
Apparently, the vulnerability has yet to be patched, despite cybersecurity experts warning the company about the consequences. Hollister pointed out that instead of fixing the issue, Logitech made a note of the report and pushed several firmware updates without recalling the faulty devices.
How does this flaw affect my Logitech dongle?
Well, according to The Verge’s author, this zero-day vulnerability allows anyone with the right skills (shouldn’t be too versed a hacker, by the way) to take full control of your device. In fact, as his recollection of the event goes, Marc Newlin, the Bastille cybersecurity researcher who taped into Hollister’s PC back in 2016, only needed a couple of lines code and a stroke of good luck.
Hollister said Newlin managed to breach his Logitech dongle because he lost the Unified Transceiver that, apparently, pairs with the dongle. And yes, the pairing process is pre-approved, which literally translates into: “Hey, you! I’m free! Hack me, hack me!”.
So, what really did happen? Well, as Hollister tells the story, as soon as Newlin managed to get into his computer, he began writing random stuff on his PC (yes, I know it sounds like an 80s cyberpunk movie, but at least it works).
Fortunately, as Newlin’s one of the good guys, he stopped as soon Hollister received the message.
If you’re still wondering how much worse it could have gotten, well, considering that the Bastille cybersecurity researcher already had admin-type privileges, he could have wiped off his entire hard-disk or supercharge his CPU.
All’s well when it ends well, but what really happened after that? Sadly, nothing, according to Hollister’s claims. The company merely took note of the vulnerability and released a firmware update which theoretically should have patched the breach (of course, it didn’t).
Mousejack, as the issue was named, went on unresolved for several years until Marcus Meng pointed out earlier this week that Logitech dongle users are at risk.
According to Marcus’ report, the issue is not necessarily limited to Logitech. It would appear that other tech giants such as Microsoft, Lenovo, HP, and Dell may have the same problem on their hands.
Any fixes so far? Highly unlikely – the problem’s that Logitech and others like it just don’t see how such a ‘tiny’ flaw can impact their customers and business.
Sure, if you believe that your device may be at risk, you can always reach out and ask for a replacement. Hollister also mentioned that every other model that came after 2016 had a built-in safeguard to prevent tampering.
Still, I wouldn’t say that Mousejack as a get-rid-of-your-dongle-or-say-bye-bye-to-your-PC kind of issue – do keep in mind that the hacker has a small window of opportunity (replacing the lost dongle).
And that takes more luck than actual hacking know-how. So, what’s your take on Logitech’s zero-day vulnerability? Don’t be a stranger and leave a comment.