2 comments

[ 3.1 ms ] story [ 16.3 ms ] thread
There's no point in updating, apparently. Not yet, anyways -- well, unless you haven't installed the firmware updates that fixed the last round of vulnerabilities (2016).

Fortunately for Logitech customers, one of the three vulnerabilities should be getting fixed in a future firmware update -- possibly as soon as next month.

The other two have been deemed WONTFIX because "thise would negatively impact interoperability".

Luckily, you can easily protect yourself against these other two -- just don't ever let anyone touch your computer or come within 10m (30ft) of it and you've got nothing to worry about.

> Two of them relate to extracting the encryption key that secures the communication between the Logitech device and the Logitech Unifying USB receiver. The third one relates to overcoming the barriers to keystroke injection between the device and the USB receiver.

There's plenty of downplaying the vulnerabilities (three of them, four CVEs) in this advisory -- several times they claim that only a sophisticated hacker with "special equipment and skills" would even be capable of exploiting these vulnerabilities -- even though the first comment here linked to a PoC.

Also, this link might be a bit more appropriate for the HN crowd: https://github.com/mame82/UnifyingVulnsDisclosureRepo (a "summary / overview" from the security researcher).