Jump to content

Logitech Keystroke Injection Flaw Went Unaddressed for Months

The AchieVer

Recommended Posts




The flaw allows a remote attacker to gain full access over a machine.

Computer peripheral giant Logitech has finally issued a patched version of its Logitech Options desktop app, after being taken to task for a months-old security flaw. The bug could of allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used the app.

Google Project Zero security researcher Tavis Ormandy found the bug in September and publicly disclosed the vulnerability this week. The Logitech Options app lets users customize the functions of their Logitech computer peripherals, including mice, keyboards and touchpads.

Logitech Keyboard Vulnerability Ormandy reported the flaw stems from the fact that the app opens up a WebSocket server that allows outside access to the app from any website, with minimal authentication.

“The only ‘authentication’ is that you have to provide a [process ID] of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds,” he explained in a Project Zero bug report that went live this week.

From there, a malicious actor could use a rogue website to send a range of commands to the Options app and change a user’s settings. In addition, a malicious actor could send arbitrary keystrokes by changing some simple configuration settings. That in turn would allow a hacker to access all manner of information and even take over a targeted machine.

Further, the app is set to auto-run upon boot-up, so users of the desktop app are essentially running Options persistently in the background – giving any attacker near-continuous access as long as the user’s machine is switched on.

Ormandy decided to  publicly disclose the bug on Wednesday after Logitech didn’t address the flaw for three months, despite assurances to the researcher that it would.

“Had a meeting with Logitech engineers on the 18th September, they assured me they understood the issues and were planning to add Origin checks and type checking,” he said. “There was a new release on October 1st, but as far as I can tell they did not resolve any of the issues. This is now past deadline, so making public.”

Patched Version Made Available

The bug report got some attention on Twitter, with others chiming in that the same problems exist in the Mac version. Late Thursday the new version was pushed out:



Link to comment
Share on other sites

  • Views 235
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...