Logitech Keystroke Injection Flaw Went Unaddressed for Months

logitech keystroke injection flaw

The flaw allows a remote attacker to gain full access over a machine.

Computer peripheral giant Logitech has finally issued a patched version of its Logitech Options desktop app, after being taken to task for a months-old security flaw. The bug could have allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used the app.

Google Project Zero security researcher Tavis Ormandy found the bug in September and publicly disclosed the vulnerability this week. The Logitech Options app lets users customize the functions of their Logitech computer peripherals, including mice, keyboards and touchpads.

Logitech Keyboard Vulnerability Ormandy reported the flaw stems from the fact that the app opens up a WebSocket server that allows outside access to the app from any website, with minimal authentication.

“The only ‘authentication’ is that you have to provide a [process ID] of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds,” he explained in a Project Zero bug report that went live this week.

From there, a malicious actor could use a rogue website to send a range of commands to the Options app and change a user’s settings. In addition, a malicious actor could send arbitrary keystrokes by changing some simple configuration settings. That in turn would allow a hacker to access all manner of information and even take over a targeted machine.

Further, the app is set to auto-run upon boot-up, so users of the desktop app are essentially running Options persistently in the background – giving any attacker near-continuous access as long as the user’s machine is switched on.

Ormandy decided to  publicly disclose the bug on Wednesday after Logitech didn’t address the flaw for three months, despite assurances to the researcher that it would.

“Had a meeting with Logitech engineers on the 18th September, they assured me they understood the issues and were planning to add Origin checks and type checking,” he said. “There was a new release on October 1st, but as far as I can tell they did not resolve any of the issues. This is now past deadline, so making public.”

The bug report got some attention on Twitter, with others chiming in that the same problems exist in the Mac version. Late Thursday the new version was pushed out:

Release Options 7.00.564 addresses the vulnerability, Logitech said, but as of Friday morning Ormandy sounded skeptical.

“On the Logitech webpage they mention as changes for 7.00.564: ‘You can now backup your device settings to the cloud automatically after creating an account. Log into your Options account and download the backed up settings to set up your device easily on any computer. Bug fixes and improvements.’ (Which can mean anything…)” Ormandy wrote.

 

Suggested articles