- An old security flaw in Logitech’s wireless mice and keyboards that was patched three years ago is still lingering in Logitech accessories that were made before the flaw was discovered, but haven’t been sold yet.
- A security researcher said a Logitech mouse he recently bought still had the flaw.
- Logitech provides an update that’s easy to download and install.
- Visit Business Insider’s homepage for more stories.
An old flaw in Logitech’s wireless mouse and keyboard USB Unifying Receiver dongles can allow hackers to take control of those mice and keyboards – and thus, ultimately, a computer.
The flaw was discovered in 2016 and dubbed “MouseJack.” It can allow a hacker to intercept the wireless signal between a Logitech mouse or keyboard and the USB Unifying Receiver dongle it connects to from up to 100 meters away, said Bastille, a wireless security consultancy. The flaw doesn’t affect accessories connected via Bluetooth.
To intercept that signal, a hacker would need their own wireless transmitter like the one pictured here, which can easily be purchased online for cheap.
In 2016, Sean Hollister of CNET (now at The Verge) recounted how the MouseJack flaw enabled security researchers to break into his laptop during a demonstration. “They broke in like it was nothing. They could have wiped my hard drive, stolen my files, or practically anything nefarious you can do with a computer,” Hollister said.
Logitech rolled out a patch back in 2016 when the flaw was discovered. Crucially, however, the patch hasn’t – and couldn’t – make it to Logitech accessories that are still sitting in their packaging on store shelves. After all, they hadn’t yet been connected to the internet,
Speaking to Hollister at The Verge, a Bastille security researcher said he recently purchased a Logitech M510 mouse that was released in 2010 and came with an unpatched dongle.
Logitech confirmed to The Verge that the company hadn’t recalled products that were in transit, on store shelves, or otherwise in the world at the time, and that it had rolled out the patch for customers to install themselves. This means that anybody buying a Logitech device that was made before Bastille’s initial report might find it to be vulnerable.
However, the company also told the Verge that products manufactured after the flaw was discovered had the necessary changes implemented.
Thankfully, the fix is simple. Logitech has a support page where a user can download and install the patch for Windows and macOS devices. So if you own a wireless Logitech mouse or keyboard – maybe make sure you’re up to date.
We’ve reached out to Logitech for additional comment and will update if we hear back.