Updated comments from SteelSeries.
The day after we learned that Razer gaming mice could be used to hijack Windows PCs, there was news that the same trick could be used with SteelSeries gaming keyboards, mice, headsets, and mouse pads.
As with the Razer mouse, it is the Windows desktop application that actually causes the problem. This is because it obtains system-wide privileges without asking for permission from the system administrator during installation.
The flaw was discovered by security researcher Lawrence Amer, who was inspired by the Razer problem.
Malware used by a malicious person while installing a Windows 10 (and possibly Windows 11) PC as a low-level user, or already running, can take advantage of this flaw to gain complete control of the system.
In cybersecurity terminology, this is called privilege escalation or privilege escalation/elevation. It is the acquisition of privileges that a process or user should not have.
However, this flaw is not the fault of SteelSeries or Razer. These companies are simply trying to install software quickly.
This is instead a Microsoft problem because Windows does not distinguish between hardware drivers (which usually do not require administrative privileges to install) and peripheral-related desktop software (which should require administrative privileges).
Microsoft needs to fix this privilege escalation situation before more problems like this come up.
To prevent gaming peripherals from vandalizing your PC, make sure to lock the screen of your workplace PC when you leave your desk.
PCs at home are less exposed to the threat of this type of attack because they have fewer potential users. However, if you have a large number of visitors, you may want to shut down your PC.
To prevent such an attack from happening to your machine, log on as an administrator, go to "System" > "Settings" > "About" and click on the "Advanced System Settings" link. You will then see a box labeled "System Properties". Select the "Hardware" tab and click the "Device Installation Settings" button.
In the subsequent pop-up window titled "Do you want to automatically download manufacturer-made apps and custom icons available for your device?", the radio button labeled "No (your device may not work as expected)" Select the radio button labeled "No (your device may not work as expected).
As you can imagine, installing new hardware, not only gaming mice and keyboards, but also printers, headphones, and even USB security keys, can be a bit daunting, if not impossible. (Thanks to Paul Ducklin of Sophos' Naked Security blog for this tip.)
Usually, installing system-wide applications requires administrator privileges before the process can begin; if you try to download and install SteelSeries or Razer Synapse desktop software from the companies' websites this will happen.
You will be prompted either for OK (if you are already running Windows as an administrator) or for the administrator password (if you are a restricted user).
For these gaming peripherals and wireless dongles, however, simply connect them to the Windows machine for the first time and Windows will look online for the necessary driver software and optional companion desktop app. The desktop software will be downloaded and the installation process will begin without administrative privileges.
While the installation process is running, you can open a link from the installer interface to open a file explorer window. You can right-click on the file explorer window to open a command line window.
In this case, however, the command line window runs with full system privileges and has the authority to install, remove, and modify files and programs on the entire PC.
All an attacker needs is a small USB dongle from a Razer or SteelSeries wireless mouse or keyboard.
In fact, an Android-based tool has already been created that can fool a PC into thinking a Razer or SteelSeries device is connected. Someone armed with that tool could gain full system privileges by plugging their phone into the USB port of a Windows machine at work, gaining a valuable foothold in the corporate network.
It would also not be too difficult to reprogram an ordinary USB stick to think that the PC is a Razer or SteelSeries dongle. Then you could place them in the company parking lot in hopes that a curious employee will plug them in.
Again, all Microsoft needs to do is make people aware of the difference between the device drivers required by Windows and the optional applications that accompany the devices. Right now, both are treated the same.
Windows may also require administrator permission before installing a device driver.
A SteelSeries spokesperson contacted Tom's Guide and provided the following statement:
"We are aware of the issue identified here and are working with SteelSeries, which launches when a new SteelSeries device is connected. installer that launches when a new SteelSeries device is connected has been proactively disabled. This immediately eliminates the opportunity for exploits and we are working on a software update that will permanently address this issue and will be released soon."
..
Comments