Rejected title: The mouse that got the cheese
On my desk, I have a very sophisticated hacking device. Want to see it? Sure.
A mouse? Really? No, I’m not talking about some metaphorical “Here are the peripherals I used on a computer to hack” kind of thing. I’m actually talking about a flaw in this particular mouse.
The mouse in question is a Logitech M185, it’s a basic wireless mouse that’s often paired with an equally basic keyboard. It’s marketed as a business peripheral with encryption between the devices and the PC. Under the battery compartment is the USB dongle used to connect these two devices to a PC or Mac. Strictly speaking, it’s this dongle that’s the vulnerability. This makes having the mouse sitting on my desk a perfect disguise.
When plugging this dongle into my trusty Linux machine and running lsusb, we can see the following device listed:
Bus 001 Device 020: ID 046d:c534 Logitech, Inc. Unifying Receiver
Calling this a Unifying Receiver is actually inaccurate. Logitech refer to this as a Nano Receiver. The Unifying Receiver is Logitechs other offering which allows for up to 6 devices to be attached to the same dongle. If a device is assigned to one dongle, it is unassigned from the other. This is important.
However, despite this being recognised as a Unifying Receiver, it is only a friendly name assigned under Linux, the important bit is the VID and PID numbers 046d:c534. This hasn’t stopped 3rd party Unifying Receiver programmers (such as Solaar) from expanding their software to support the device.
The major difference between the Unifying Receiver, and the Nano Receiver, is that you can’t unpair devices from the Nano Receiver. As far as I’ve been able to see, you can pair a mouse, and a keyboard to the unit, and each time you attempt to pair another device, you lose the existing one.
After playing with Solaar for a few days, I’ve discovered a vulnerability which could compromise business security. It looks like when a device is paired to a Nano Receiver there is no attempt to change the encryption key between the two devices. Whilst the devices refuses to pair if they’re connected to another receiver, once either a keyboard or mouse is out of range of the already connected receiver, they’ll happily pair to another one in pairing mode. Because you can’t unpair a device from the Nano Receiver you can end up in the situation where one keyboard (or mouse) is paired to multiple Nano Receivers. This is where security is compromised.
Let’s say you want to target a victim in an office. The hacker would simply have to wait until the victim is away from their desk (hopefully with their machine locked). It would then be possible to use something like Solaar on a laptop to reprogram a Nano Receiver by unplugging the victims receiver, switching off the keyboard, and putting the attacking receiver in pair mode using Solaar. Switching on the keyboard would pair it to the second receiver.
At a later date, the attacker could either plug this new receiver into a small embedded device (such as a Raspberry Pi) with a key logger, put it in range of the victim, and log their activity without their knowledge.
As a proof of concept, I’ve run a similar test with the aid of a virtual machine. Here I’ve connected my Logitech Nano Receiver into my system, and told VirtualBox to have control over it. I then, with permission, switched off a colleague’s keyboard and unplugged the dongle from the machine and ran:
solaar pair
Finally, I powered on the keyboard. Solaar returned an error, however it was possible to control the VM with my colleague’s keyboard. I then reattached their dongle to their machine, and they were able to use their keyboard as normal, all the while their keystrokes were also being inputted on my VM.
My colleague did notice sometimes their keyboard was unresponsive, this could be a side effect of having two dongles connected. I’m guessing the dongle sends back a “done” signal, but the majority of the time, both dongles received keystrokes.
The real issue here is that this is almost impossible for the victim to notice. The attacker needs minimal interaction with the hardware, and doesn’t require access to the user’s machine. In fact, leaving just the keyboard on the desk (i.e. after clocking off and going home) is the biggest risk.
I raised this with Logitech on 23rd October and, whilst initially they were quite responsive, however, after 2 months and supposed escalations, the support ticket has gone quiet. I feel this has been a reasonable enough time to go public with this.
My recommendation is that all businesses switch back to wired peripherals where possible, wireless security is a very difficult thing to get right, and in Logitech’s case, something they’ve gotten terribly wrong.
Cheers