logitech: "Options" Craft WebSocket server has no authentication - your keyboard can be remotely controlled by javascript in webpages!

[Questargon]

Oh great.

It seems, that the Logitech Driver Software called "Logitech Options" opens up a websocket without any authentication so it can be used by anything that gets access to it - being a websocket, code executed in a webpage in your local webbrowser is included. There is no fix so far.

 

Logitech Options is the default software suite that all newer devices from Logitech use. The older software called "SetPoint" does not seem to be affected.

 

Project Zero found this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

German website golem.de has an article as well (in german, sorry... ) https://www.golem.de/news/logitech-options-logitech-software-ermoeglicht-boesartige-codeausfuehrung-1812-138218.html

 

If you're versatile with system administration, you might be able to block this port via a firewall or remove the service in question. I did not try this myself, so removing the software entirely is the quick and easy way out.

 

Stay safe,

questargon

[Ashley MLP Fangirl]

so can they see your keystrokes if you have like 50 tabs open and one of them exploits this?

[Arika]

Question: Why is keyboard software even connected to the internet?

[Questargon]

1 minute ago, firelighter487 said:

so can they see your keystrokes if you have like 50 tabs open and one of them exploits this?

Nope. When you load a malicious website, the javascript within can connect to that websocket and issue keystrokes that look like you typed them in yourself. Think opening a commandline and being able to write anything there to be executed immediately ... like removing your Documents-Folder or installing a backdoor etc. Only the imagination of the attacker is limiting him here.

[Questargon]

1 minute ago, Arika S said:

Question: Why is keyboard software even connected to the internet?

It's kinda the other way around... the internet can connect to the keyboard software via javascript.

[Olllllli]

So can I find the service in "Services", and if so, the name is "Logitech Options"?

 

[Ashley MLP Fangirl]

3 minutes ago, Questargon said:

Nope. When you load a malicious website, the javascript within can connect to that websocket and issue keystrokes that look like you typed them in yourself. Think opening a commandline and being able to write anything there to be executed immediately ... like removing your Documents-Folder or installing a backdoor etc. Only the imagination of the attacker is limiting him here.

that's arguably a lot worse than a keylogger... 

[Granular]

Insecure, yes, but also convenient. Until malware exploits it and installs ransomware and you lose everything on your computer. But until then, pretty convenient.

[Taf the Ghost]

57 minutes ago, Olllllli said:

So can I find the service in "Services", and if so, the name is "Logitech Options"?

 

It should be LogiOptions.exe. Get a copy of AutoRuns from MS's development website and disable it. Options doesn't have to actually run all of the time and it really does very little. 

[Dabombinable]

Setpoint didn't need to link up to the internet to do its thing...so why does its replacement need the internet?

[Bouzoo]

1 hour ago, Arika S said:

Question: Why is keyboard software even connected to the internet?

Probably to check for software updates.

[TetraSky]

I only use the Logitech Gaming Software for both my keyboard and mouse, sooooo.... Is Options (terrible name) for people who buy the non-gaming peripherals of Logitech?

[Origami Cactus]

40 minutes ago, TetraSky said:

I only use the Logitech Gaming Software for both my keyboard and mouse, sooooo.... Is Options (terrible name) for people who buy the non-gaming peripherals of Logitech?

Yeah. It used to be Logitech setpoint, but now it seems that the newest peripherals get the logitech options.

But logitech gaming products use the logitech gaming program.

[Taf the Ghost]

40 minutes ago, TetraSky said:

I only use the Logitech Gaming Software for both my keyboard and mouse, sooooo.... Is Options (terrible name) for people who buy the non-gaming peripherals of Logitech?

Yes. I think if you had a number of wireless devices from Logitech, it'd be a lot more useful. However, in our space, we see more of the Gaming parts. 

[GoodBytes]

I think they have done this to allow to control another PC with the connected mouse and keyboard, a feature that Logitech offers to select peripheral like the: MX Master 2S. This is the same system (but more primitive) than Microsoft's Mouse Without Borders or InputDirector or Synergy, as example of similar apps.

Logitech calls theirs: Logitech Flow

 

Usually, these type of software requires a code to be used to encrypt the connection or secure in some ways.

However, Logitech Options has none of that, making the setup experience easier to get started. But.. well... I guess... not secured.

 

The article points to Logitech Craft Keyboard knob thingy that it has (Logitech Crown) saying that he guesses it is from that... but I think it has more to do with the Logitech Flow feature as it would make more sense.

[Questargon]

2 hours ago, GoodBytes said:

I think they have done this to allow to control another PC with the connected mouse and keyboard, a feature that Logitech offers to select peripheral like the: MX Master 2S. This is the same system (but more primitive) than Microsoft's Mouse Without Borders or InputDirector or Synergy, as example of similar apps.

Logitech calls theirs: Logitech Flow

 

Usually, these type of software requires a code to be used to encrypt the connection or secure in some ways.

However, Logitech Options has none of that, making the setup experience easier to get started. But.. well... I guess... not secured.

 

The article points to Logitech Craft Keyboard knob thingy that it has (Logitech Crown) saying that he guesses it is from that... but I think it has more to do with the Logitech Flow feature as it would make more sense.

Hmm.... following that logic all devices that use Logitech Flow must have "Options" installed? Does Logitech offer "Options" for MacOS as well? If so, Mac-Users might have the same bug there.

(Digging on Logitechs' Website ...)

Ooookay, there IS an "Options" for MacOS as well. Can somebody check for an open websocket on port 10134 under MacOS with "Logitech Options" installed?

Edited December 13, 2018 by Questargon
Remove unneccessary comment about the Logitech Website.

[DrDerp]

Just a quick question; does this affect Logitech Gaming Software users? I've read through everything here but I am still a bit confused.

[williamcll]

>inb4 pewdiepie fans hack keyboards asking to subscribe.

[Drak3]

6 hours ago, Arika S said:

Question: Why is keyboard software even connected to the internet?

Updates. Constant updates.

[Fetzie]

10 hours ago, DrDerp said:

Just a quick question; does this affect Logitech Gaming Software users? I've read through everything here but I am still a bit confused.

I have the Logitech gaming software running and have no application listening on TCP 10143

[GoodBytes]

Logitech released a new update of its Logitech Options utility with the vulnerability fixed

https://www.logitech.com/en-us/product/options

 

[edit]

No they have not. The issue could still be replicated

[GoodBytes]

Please note that if you upgrade to the New Logitech Options.

Logitech does something similar to Microsoft with force account creation.

Click the "X", which suggest closing the program, but really will "skip" the account creation/login phase.

 

[FPSwithaWacomTablet]

On 12/13/2018 at 4:56 AM, Arika S said:

Question: Why is keyboard software even connected to the internet?

I did it once for some interactive room lighting effects using an ESP8266 connected to my wifi. Though the point still stands that there is no authentication for this web socket.

 

Hell, you could do these yourselves. There's a built-in ESP8266 inside these things with pins exposed.

 https://www.itead.cc/sonoff-wifi-wireless-switch.html

[Jito463]

There's a reason I'm inherently distrustful of any software that connects to the internet when it has no reason to.

[NumLock21]

Looks like the latest version of Logitech Options did not fix the flaw yet.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1663