Flaw in Logitech Options App
Logitech issued a patched version of its Logitech Options desktop app, after a flaw was discovered months ago. The bug could have allowed hackers to launch keystroke injection attacks against Logitech keyboard owners that used the app. Google Project Zero security researcher, Tavis Ormandy found the bug in September and made the vulnerability public this week. The Logitech Options app lets users customize the functions of their Logitech computer peripherals, including mice, keyboards and touchpads. Ormandy decided to release the bug publicly on Wednesday after Logitech failed to address the flaw for three months, despite assurances to the researcher that it would.
According to his report, Ormandy tried to reconfigure a button on his Logitech mouse in Windows and learned that, in order to do so, he had to download the 149 MB Logitech Options app. The software uses Electron, an open source framework that enables users to develop cross-platform desktop applications in JavaScript, but which has also been subject to serious security vulnerabilities. Upon inspecting the Logitech Options app, Ormandy discovered it opened a local WebSocket server that expects JSON messages. The first flaw Ormandy found is the ability to crash that server by sending JSON data with incorrect data types.
Ormandy found an even easier way to hack the software. The WebSocket service allows connections from any website, and that type of service should check the origin of the calling webpage so only authorized webpages can open a connection. This would mean that only the webpage, https://www.logitech.com/, should have been able to access the service but the Logitech Options app does not properly authenticate these connections. The only form of authentication in the Logitech Options app is to expect the connecting webpage to know the Windows process ID of the running Logitech software. However, these can easily be brute-forced, as they are relatively small numbers: a Windows process ID is only 32 bits in length, but because the numbers are applied incrementally and the software is executed early in the boot process, it will almost always have a small process ID. In addition, an exploit is easy, as the Logitech Options app permits unlimited guesses.
The flaw stems from the app that opens up a WebSocket server which allows outside access to the app from any website, with minimal authentication. The only authentication that you have to provide a process ID of a process owned by the user, but allows unlimited guesses it can be brute forced in microseconds. From there, a hacker can use a malicious website to send commands to the Options app and change a user's settings. A hacker could also send random keystrokes by changing some simple configuration settings. This may allow a hacker to access any information and even take over a targeted machine. The app is set to auto run on boot up so the desktop app running Options persistently in the background giving any hacker constant access as long as the machine is on.