Is a wireless receiver a security weak point?

It's wireless, so you might be able to sniff it if it doesn't use encryption by monitoring the connection.

However since it probably closed source you will not know if the program driver supplied is safe. Does it use RSA or AES encryption ? Even if they use these protocols, might they be extracted from either remote or receiver ?

Can someone else send signals with their remote (maybe by analyzing their remote and apply some homebrew that hasn't been published yet) ?

Wireless devices are per definition often less secure than their wired equivalents. If you want complete security, don't use it.


Turns out the Logitech R400, R700 and (apparently) the R800 are vulnerable to remote keypress injection attacks; meaning that an attacker can send any keypress to the device where the presentation dongle is plugged in.

A few advisories have been published:

  • R400 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-074.txt
  • R700 https://nvd.nist.gov/vuln/detail/CVE-2019-12506 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-015.txt

Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, for example in order to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of a Logitech R700 wireless presenter.

c't (German) is also adding the R800 to the list: https://www.heise.de/select/ct/2019/8/1555074882087318 (German, paywall).

Finally, Heise is reporting of a possible recall program by Logitech: https://www.heise.de/security/meldung/Angreifbare-Logitech-Presenter-Hersteller-tauscht-gefaehrliche-USB-Empfaenger-aus-4423627.html?wt_mc=rss.ho.beitrag.atom (German):

Darüber hinaus brachte Logitech erstmals eine Austauschmöglichkeit ins Spiel: "Sie [die Kunden, Anm. der Redaktion] können sich auch an den Logitech-Kundendienst wenden, um einen Ersatzempfänger zu erhalten: www.logitech.com/contact".

Google translation:

In addition, for the first time, Logitech has introduced an exchange opportunity: "You [the customer, editor's note] may also contact Logitech Customer Support for a replacement receiver: www.logitech.com/contact".


It is possible that the USB device plugged in the host computer is seen by the host computer as a kind of mouse or keyboard. As such, this would make the computer ready to accept mouse-like or keyboard-like events (as if someone was clicking or typing text).

It is conceivable that the USB device is itself ready to receive and process keyboard-like event. The clicker will not send those, of course; but Logitech also manufactures wireless keyboards and it would make sense that they reuse components between products, to save on development and production costs.

Take this two together, and you have it: possibly, you just gave any attacker a keyboard to your machine. At that point, many things are possible...

Hopefully, the clicker and the receiver have some sort of automatic cryptographic pairing procedure which reduces the possibilities of an hostile hijack (a man-in-the-middle could still be possible, since avoiding it may entail substantial computing effort from the involved devices). However, since this communication is between a Logitech device and another Logitech device, and the two of them are sold together, then there is no incentive for this protocol to be standard or at least documented. So you cannot be sure that things were done properly.

Also, any wireless receiver implies that there must be some driver software which analyzes data obtain from "the outside". Any bug in such a driver could be exploited (and yield kernel-level access to the host computer).

To sum up: yeah, there are conceivable risks for the host computer.

Tags:

Wireless

Recent Posts