I have a Problem. Please help me with my Problem.

This is the Logitech K400 Plus. It is my favoritestest keyboard. It is light. I can set it in my lap to type which is good for my rsi. It has an onboard touchpad.

https://amazon.com/Logitech-Wireless-Keyboard-Touchpad-PC-connected/dp/B014EUQOGK/

It is (was?), due to Logitech's old "Unifying Receiver" tech, vulnerable to multiple serious security flaws, including (?) a MITM where if you plug it in while an attacker is within 30 feet they can surveil all keystrokes after.

https://www.bleepingcomputer.com/news/security/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/

(1/2)

What I am trying to figure out is

A. How do I tell if my K400+ has outstanding security vulnerabilities, and if so, which ones? I have what Logi Options + claims to be the newest firmware (receiver 24.10.36, device 63.2.16). How vulnerable am I with this firmware?

B. If I decide to replace my K400+ with a newer, possibly bluetooth keyboard, what is the *closest* keyboard I can get to the K400+? All newer Logitechs remove the touchpad, or have weirdo circular keys, or both.

(2/2)

@mcc have you tired a firmwareupdate in first place? The MITM attack is fixed
https://support.logi.com/hc/en-us/articles/360035037273-Firmware-Update-Tool

@mcc I have the same keyboard (for a secondary computer, anyway), and I just don't give a damn b/c the benefits of having multiple devices use a single receiver without Bluetooth woes is overwhelming to me.

Someone really wants to pwn my SBC using the keyboard? I applaud them for their persistence :D!

@zwangseinweisung I think so? https://mastodon.social/@mcc/113188971139663354

@mcc I have one of those (also one of the newer ones) and the Logi apps no longer support the K400+! They direct you to a web app that only *operates* in Chrome and does not work either. So we are screwed.

I kinda like the one with the round keys and no trackpad. For openers, the app lets you disable caps lock and insert. But the power-on-self-test on my Windows machine gets angry because it doesn't see bluetooth keyboards.

@AlgoCompSynth Last week I was able to connect Logi Options + and query the firmware.

There is also a standalone firmware updater tool, but it simply crashes on open on my computer.

@mcc Maybe it's a model difference - mine is a K400r, not K400+. But the issue is the same - planned obsolescence of mass-marketed cheap devices with no regulation and little credible competition and mind-bendingly complex communications protocols with "specifications" in C code, etc.

@AlgoCompSynth Oh, maybe

@AlgoCompSynth I no longer run with the logi options on at all, which sucks because it means I can't get the FKEYs to act normal instead of being media keys :/

@mcc There's an old sales pitch line that comes to mind: "When you buy my high-quality expensive device you only cry once, when you see the price."

@utzer @zwangseinweisung I am able to run firmware upgrades with the current version of the Logi Options + app.

@mcc

1. The K400 Plus is awesome.

2. No, Logitech don't have anything that resembles it. (I've asked them, nagged them, petitioned them, and nothing worked...)

3. Your only option left may be to hack it, killing its transceiver, adding a Miniduino/ESP32W or similar microcontroller that can talk to a Bluetooth or Wifi interface, communicating on the keyboard's behalf.

4. Depending on your wireless solution, you may need to hack a matching device driver.

@haitchfive OK. To your knowledge, do any wireless vulns remain after upgrading to the newest firmware?

@mcc @zwangseinweisung yes, I understood that, I just felt the need to express my surprise over the possibility to actually upgrade the firmware at all.

Or are you saying there is no such option to upgrade, not that there is no upgrade available for your device?

@utzer @zwangseinweisung It appears to work on my device. The reason I mentioned the name of the app is there are three separate Logitech apps, one does not work on my computer and another does not appear to be able to do firmware upgrades (anymore?). "Logi Options +" is the one that works.

@mcc have you tried linux and fwupdmgr as well? It works for my stuff here* (serveral mx ergo trackballs, mx keys keybords, a few mx master mouses) @utzer

*don't call me fanboy 😁

@mcc @zwangseinweisung ah ok.

I need to look into this, because I was evaluating what to do regarding Keyboard as well, for me the topic was a bit different, I was evaluating to buy the same keyboard for home, office and maybe another one to take with me when working from client premisses for more than a week. Because it really annoys me to have two different keyboards everywhere.

The K400 type is one I own and it is light and small, but still nice to work with.

Anyway, I guess if the attack you mentioned it solved in the firmware you have, then the keyboard should be fine. Or not?

@utzer Well the reason I ask is that although there are clear reports that Logitech fixed some number of vulnerabilities in a firmware update, I have not seen any specific analysis to the effect of "yeah, we retested the vulnerabilities and none of them work anymore". Because I follow many infosec people, I was wondering if someone had better information than I had seen, to confirm that Logitech fixed *all* vulnerabilities rather than *some* vulnerabilities.

@mcc @AlgoCompSynth Might be a software solution? On macOS there is USB Overdrive which can configure actions for keys on most USB devices.

@gparker @AlgoCompSynth I mean I think the software solution is to download an older version of Logi Options (not "plus") which supports the K400+ :(

@mcc @gparker That's the version Logi Options+ told me to download that doesn't work and told me to use the Chrome app that also doesn't work.

@mcc probably not what you want to hear but I have the old K400 that uses a USB dongle instead of Bluetooth

@chunter that is the vulnerable one. Bluetooth Logitech devices are not vulnerable. There is no Bluetooth K400 series.

@mcc looking forward to you building a headless laptop inside the K400's shell and using Synergy or similar keyboard-and-mouse-sharing software to send the keyboard and mouse output to your other computer

@ChateauErin I'm terrible at hardware, I tried to order some pin header USB ports off JLCPCB and I couldn't even figure out how to format the CAD files how they wanted :(

@mcc if you care about resilience against eavesdropping, then going for a cable attached keyboard would make a lot of sense. Yes, there's still "tempest" electromagnetic emissions, but that's quite different from intentionally broadcasting RF signals

@LaF0rge do you know of any reason to suspect eavesdropping is a concern with Bluetooth keyboards?

@mcc speaking of which, I don't get why there's still no standard for encrypted/authenticated USB-HID. That way any usb tracing keyloggers would be rendered ineffective. Sure, one can still have keylogging Trojans, but it's always worth plugging security holes...

@mcc Not specifically, but according to the KISS principle I'd rather rely on lower complexity wired signals than a complex protocol stack with potentially flawed implementations...

@mcc I use the ERGO K680 and the programmable ERGO MX, although the latter has since been replaced with even more ergonomic models. Most of what makes trackpads so useful can be obtained by setting the various keys and buttons on the trackball for those functions. I also find it's even better for RSI than a trackpad.

@mcc this may be far more than you want to do but https://github.com/RoganDawes/LOGITacker seems to be able to scan for vulnerabilities with an nRF dongle.

In a week or so I can dig through my Boxes of Shame and Unfinished Projects to see if I have the parts for this. I think I have a newer version of that keyboard.

@Lizburton So what I am focused on is my arm positioning. If my elbows are at a right angle and in my lap, that does good things to my Carpal Tunnels. I don't know what a carpal tunnel is, I only know that when I do certain things it hurts and when I do different things it doesn't hurt.

But if the point is that my keyboard is in my lap: I can't get the trackball down there also, unless the trackball is physically attached to the keyboard. Or unless I get a significantly more complex desk setup

@mcc Not necessarily true. The 680 has a wide wrist rest I often perch my trackball on, since it doesn't need to be moved around. The carpal tunnel is a channel in your wrist bones the main nerve to hand passes through. Try spreading your fingers as far as you can several times while working.

@mcc I found https://www.reddit.com/r/htpc/comments/18zl8vo/found_a_great_keyboardtrackpad_option/ the white one.

Pro: it does have wireless, square keys (I prefer the queer round ones but to each their taste), a large trackpad.
Con: buying it is bullshit. You have to email them then wait for them to call back.

@gkrnours hmmm

@LaF0rge @mcc How would that work and what attacks would it prevent?

@mcc IIRC you have a Linux machine. Plug the receiver into it and run fwupdmgr get-updates to check for firmware updates.

My K400 (no +, no r, the original K400) received a firmware update and Ubuntu prompted me to install it a few years back, when the vulnerability was in the news. (Unless there's more than one vulnerability, god please don't tell me there's more than one, and Logitech only uploaded the firmware to fwupd.org once).

@mcc https://fwupd.org/lvfs/search?value=logitech+unifying+receiver shows a couple of firmwares, each of which has several versions, fixing various vulnerabilities identified as "Bastille security issue #number" for numbers like 1, 2, and 13). The last release date is from 2023.

I'm cautiously optimistic.

@mgedmin I have already updated the firmware to the newest version using the official tool (Logi Options +) on Windows.

I don't know if there's more than one vulnerability. That was the question. The original hackers appeared to be describing more than one vulnerability.

@zwangseinweisung
I second looking at fwupd on Linux. Logitech was first to adopt it to distribute a fix for what I think is this security issue. https://fwupd.org/lvfs/devices/#logitech It is a Linux builtin update service, not depending on buggy vendor applications. If Linux is not (yet) your main OS you can run a live image from say Debian, Ubuntu or Linux Mint off of a USB-stick and will probably be able to do the firmware update from there.
@mcc @utzer

@nicorikken @zwangseinweisung @utzer I am somewhat confused why, when I have already explained above I have upgraded to the vendor's newest firmware version using the vendor's official Windows tool, I have people urging me to do a separate firmware update via Linux. Am I missing something?