Logitech app security flaw allowed keystroke injection attacks
Logitech has released a security patch for one of its apps after it previously ignored a bug report from the Google Project Zero security team for three months.
The vulnerability was found in versions of Options, a Logitech app that lets users customize buttons and the behavior of their mice, keyboards, and touchpads.
Back in September, Google security researcher Tavis Ormandy discovered that the app was opening a WebSocket server on users’ computers.
The problem was that this server featured support for a bunch of intrusive commands, used a registry key to auto-start on each system boot, and came with a lackadaisical authentication system.
“The only ‘authentication’ is that you have to provide a PID [process ID] of a process owned by your user,” said Ormandy in a bug report, “but you get unlimited guesses so you can bruteforce it in microseconds.”
“After that, you can send commands and options, configure the ‘crown’ to send arbitrary keystrokes, etc, etc.,” the expert said, suggesting the app could be a perfect attack surface for both local and remote keystroke injection (Rubber Ducky) attacks that have historically been used to take over PCs.
Ormandy reported the issue to Logitech in mid-September. But while the Logitech team acknowledged the bug report, the company never shipped a patch.
“I […] had a meeting with Logitech engineers on the 18th September, they assured me they understood the issues and were planning to add Origin checks and type checking,” Ormandy said. “There was a new release on October 1st, but as far as I can tell they did not resolve any of the issues.”
Seeing that after 90 days the company failed to address the privately reported issue, Ormandy revealed his findings on Tuesday, this week.
After the bug report got some traction and attention among security researchers on Twitter last night, Logitech rushed to patch and release Options 7.00.564 to address the reported issues.