How Logitech’s Bolt Highlights Bluetooth Insecurities

Your wireless keyboard might be less secure than you think. And even wires might not help.

Logitech’s new Logi Bolt USB dongle provides an encrypted connection between your mouse and keyboard, and your computer. Regular Bluetooth might be convenient, and mostly reliable, but it’s not secure—as we’re about to find out.

“Bluetooth is highly insecure,” Roger Smith, IT expert and industry fellow at the Australian Defence Force Academy, told Lifewire via email.

There are two kinds of keyboard and mouse hacks you should worry about. One is key logging, or intercepting the keystrokes of your wireless keyboard. A hacker could steal passwords, secrets, or anything else you type into your computer, even if you assume it’s safe because it’s not connected to the internet.

The other is an attack where the intruder takes over your mouse, and can then control your computer from afar. Mousejack is an example of such an exploit, and although it doesn’t affect Bluetooth, it is effective against many devices.

“There are many problems with Bluetooth,” says Smith. “It’s only protection/security is based around a connection’s ability to frequency hop. This is based on an algorithm that is combined with the passcode of the devices pairing.”

No problem. If you really want security, then just hook up a cable, right? Nope. Cables can be even worse. If you’re in a shared office, it’s easy to replace your USB cable with one that can steal keystrokes and log them. It’s even possible to conceal a Wi-Fi device inside a USB-C cable to transmit those keystrokes to a remote device.

And even if Bluetooth were secure (which it certainly is not), an intruder can always insert themselves between the device and computer, in what’s known as a “man-in-the-middle” attack.

“It is easy enough to get another device in between the base station and the device and get everything off it in plain text, especially if the code is the standard 0000,” says Smith.

Secure Design
For most of us, this is never a problem. But for people who work in very secure environments, and who work with valuable secrets and data, any vulnerability is a big deal. That’s where encrypted connections come in.

Logitech already has a USB dongle that lets its keyboards and mice communicate wirelessly with computers. It’s usually more reliable than Bluetooth, and offers an instant, always on connection. And because it presents itself to the computer as a standard USB device, it always works, even on computers with all their radios shut off.

The Bolt dongle doesn’t work with existing devices. You need Bolt-compatible peripherals to use it. Bolt actually uses Bluetooth with “additional Logitech security features,” but works just like the old dongles.

The connection is secure and encrypted, with no option to disable it. And like the existing Logitech dongle system, it’s easier and better than plain Bluetooth. The latency (delay) of transmitted signals is lower, and you don’t have to pair anything. If you want to use it on a different computer, just unplug the dongle and move it—the same as with a cable.

Logitech knows all about the importance of wireless security. It was one of the victims of the Mousejack hack of 2016, and in 2019, new vulnerabilities were discovered in Logitech’s “unifying receivers.” In fact, one reporter found that Logitech was still selling Mousejack-compromised dongles that same year.

“There are many problems with Bluetooth. It’s only protection/security is based around a connection’s ability to frequency hop.”

Hopefully this time will be different.

There aren’t so many other options, though. The Matias Secure Pro also used a USB dongle for its connection, and featured clicky keys, but that has been discontinued. Mostly what you find when you search for secure keyboards are wired models. And really, wired is the best way to go if you really want security.

Yes, it’s possible to compromise, but doing so requires physical access to your office or home. That’s easier to pull off in a shared environment, but for private individuals, well—we don’t really need to worry. And if you do need to worry, you surely already know about it.

Leave a Reply