Saturday, December 22, 2018

Logitech Leaves Keystroke Injection Flaw Unaddressed for Months.

    Three months ago, security researcher Travis Ormandy from Google Project Zero detailed a significant flaw of which Logitech has finally released a patch. In his September 18th meeting the engineers at Logitech gave the impression that they understood the problem and had a fix in mind and were ready to roll out a patch immediately.

    The flaw in the Logitech Options application resides in the users ability to customize the behavior or buttons on their mice and keyboards. This feature is enabled by an app that leaves a WebSocket server on the system that the app is installed upon. That server supports several intrusive commands, auto-starts due to a registry entry, and has a very flimsy authentication method. 
Travis details in his report: “The only ‘authentication’ is that you have to provide a Process ID (PID) of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.” Once a malicious actor puts in the microseconds of work needed to gain access they can send commands, change options or even send keystrokes. This suggests that the app could be a fantastically powerful attack platform locally or even remotely through the use of keystroke injection attacks.

     Injection attacks can give an actor the ability to create other attack vectors within an organization. They can farm information from infected systems like email and contact information, install additional malware like keyloggers or botnets, or even perform a total system take over. An exploit like this can very easily be used to gain additional access to other systems or servers within an organization. In turn, that can easily turn into a massive data breach and/or loss of customer data. Alternatively it can be used to gain banking information or even direct access, turning your keyboard or mouse into a platform to exploit a less security-conscious home user’s banking or credit card information, access medical records or log passwords, or even add them to a botnet.

     Ormandy details that the issue was not resolved in the October 1st release of the Options app. After giving Logitech three months to fix the issue, he decided to go public with his bug report. It seems that the bug report had some traction on twitter by Dec 11th pointing out that the problem exists on the Mac versions as well. The patch was released Thursday Dec 13th. Ormandy continues to show skepticism that Logitech will act promptly without the threat of bad publicity.