Serious security problem with peripherals from Razer and Asus. The automatic installation of drivers via Windows Update allows attackers to gain admin rights. However, the danger for home users is currently still low.
Hack can be executed quickly
All that is needed for the said hack is a corresponding input device or dongle, which must be connected to the affected computer. While the driver is being installed, the command prompt can be accessed from a normal user account via Explorer with administrator privileges.
As a device driver, the driver requires corresponding rights for the installation, which the Explorer receives. The installation is done on the system level – if the installation directory is placed on the desktop, the hack can be permanently activated by constantly executing the file during the boot process. It is not even necessary to have the affected input device.
By means of spoofing (i.e. faking the corresponding vendor ID), the installation process can be easily triggered. This is reported by security expert Cristian Mariolini (“jonhat”) via Twitter and shows in a video how easy the hack is possible. According to his own account, he also tried to contact Razer regarding the security problem – without success.
Spoofing is even possible with the help of inexpensive solutions like Arduino or Raspberry, expensive gaming hardware is not needed for this. The installation can even be triggered again by changing the USB port.
Despite being demonstrated with Razer peripherals that require the manufacturer’s Snyapse software, the hack is also said to work with ROG mice, as from the thread on Twitter. In the meantime, Razer has issued a statement and will probably provide an update soon that fixes the problem:
We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.
We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine.
We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up.Razer
Little danger for home users
Since home users usually already have admin rights for their computer, the danger is currently considered relatively low. In addition, physical access to the computer is necessary in order to use the hack at all; there is no danger from the Internet.
This could only be a problem in centrally controlled company networks where Windows updates are administered.