Logitech has been forced to update its Options app after its was discovered that it has a flaw that could trigger keystroke injections.
According to a disclosure notice by Tavis Ormandy, a researcher from Google’s Project Zero, the vulnerability could enable a hacker to exploit keystroke injection attacks on a targeted device. The Options app by Logitech enables users of its mouses, touch pads, and keyboards to customise how these devices are used.
He said that the app spawns multiple subprocesses and appears to be an electron app.
"It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all," he said.
He added that in trying to figure out what this websocket server does, "it's immediately obvious that it expects JSON messages, and there is zero type checking of properties, so it crashes like crazy".
Ormandy then figured out it was easy to brute force a user’s authentication PID. Once this is guessed correctly, a hacker can then send commands and options and configure the "crown" to send arbitrary keystrokes. Such attacks can then allow an attacker to assume complete control of a system. This suggests that the app could be used in keystroke injection attacks, such as the infamous "Rubber Ducky" attack.
The researcher found the vulnerability in September and informed Logitech about it. He added that he met Logitech engineers on 18 September, this year, at which point they assured him that they understood the issues and were planning to add Origin checks and type checking. Ormandy noted that there was a new release of the app on 1 October, but as far as he could tell they did not resolve any of the issues.
"This is now past deadline, so making public. I would recommend disabling Logitech Options until an update is available," he said last week.
On 13 December, Logitech released a new version of the app (7.00.564). According to a Twitter update by Logitech, the flaw has now been fixed, but other researchers have claimed that the vulnerability could still be reproduced. Ormandy himself is yet to confirm whether the fix works or not. Logitech hasn’t revealed any further details on how the bug has been patched.
In response to Logitech’s twitter update, another user by the name of Enigmaxg2, said that companies should stop using web frameworks for everything. "On top of the unneeded resource usage (because it's running an embedded browser) I don't want to know what will happen when chromium vulnerabilities begin to arise," they said.
A spokesman for Logitech said that "the release of Logitech Options 7.00, which addresses Origin checks and type checking, is now live and can be downloaded for Windows and Mac". A download for the updated Options app is available here.
According to Chris Wallis, founder & CEO of Intruder Systems, it’s "another nice catch of sloppy security by Google's bugfinder-in-chief Tavis Ormandy, but the extent of the vulnerability is unlikely to be very wide".
"Although it opens a port on your local machine, that program is extremely unlikely to be located on anything facing the internet – as things like web servers don't need to add options to their bluetooth mouse," he told SC Media UK.