Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

logitech: "Options" Craft WebSocket server has no authentication - your keyboard can be remotely controlled by javascript in webpages!

Go to solution Solved by Questargon,

A new version of Options has just been released. Logitech added additional origin checks to prevent misuse of that websocket. See the thread in Project-Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

EDIT: The OP of that thread has not reacted yet though, so you might want to wait until he also says that it is ok now.

EDIT2: Bug is fixed.

 

Oh great.

It seems, that the Logitech Driver Software called "Logitech Options" opens up a websocket without any authentication so it can be used by anything that gets access to it - being a websocket, code executed in a webpage in your local webbrowser is included. There is no fix so far.

 

Logitech Options is the default software suite that all newer devices from Logitech use. The older software called "SetPoint" does not seem to be affected.

 

Project Zero found this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

German website golem.de has an article as well (in german, sorry... ? ) https://www.golem.de/news/logitech-options-logitech-software-ermoeglicht-boesartige-codeausfuehrung-1812-138218.html

 

If you're versatile with system administration, you might be able to block this port via a firewall or remove the service in question. I did not try this myself, so removing the software entirely is the quick and easy way out.

 

Stay safe,

questargon

CPU Ryzen 5 3600 | MoBo Asus Prime X470-Pro | RAM 16GB Vengance RGB@3600/18 | GPU EVGA GTX 1070 SC Gaming | Case Enthoo Pro M SE
PSU bq! Pure Power 10 500W CM | Cooling Scythe Kabuto 3 & Cryorig QF120, 5x Arctic F14 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) DELL 2001FP, DELL 2407WFP, LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 10

Link to comment
Share on other sites

Link to post
Share on other sites

so can they see your keystrokes if you have like 50 tabs open and one of them exploits this?

She/Her

MacBook Pro 13" Early 2015 | i5 5257U | Intel Iris 6100 | 8GB Ram | 120GB SSD | macOS Monterey

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, firelighter487 said:

so can they see your keystrokes if you have like 50 tabs open and one of them exploits this?

Nope. When you load a malicious website, the javascript within can connect to that websocket and issue keystrokes that look like you typed them in yourself. Think opening a commandline and being able to write anything there to be executed immediately ... like removing your Documents-Folder or installing a backdoor etc. Only the imagination of the attacker is limiting him here.

CPU Ryzen 5 3600 | MoBo Asus Prime X470-Pro | RAM 16GB Vengance RGB@3600/18 | GPU EVGA GTX 1070 SC Gaming | Case Enthoo Pro M SE
PSU bq! Pure Power 10 500W CM | Cooling Scythe Kabuto 3 & Cryorig QF120, 5x Arctic F14 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) DELL 2001FP, DELL 2407WFP, LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 10

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Arika S said:

Question: Why is keyboard software even connected to the internet?

It's kinda the other way around... the internet can connect to the keyboard software via javascript.

CPU Ryzen 5 3600 | MoBo Asus Prime X470-Pro | RAM 16GB Vengance RGB@3600/18 | GPU EVGA GTX 1070 SC Gaming | Case Enthoo Pro M SE
PSU bq! Pure Power 10 500W CM | Cooling Scythe Kabuto 3 & Cryorig QF120, 5x Arctic F14 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) DELL 2001FP, DELL 2407WFP, LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 10

Link to comment
Share on other sites

Link to post
Share on other sites

So can I find the service in "Services", and if so, the name is "Logitech Options"?

 

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, Questargon said:

Nope. When you load a malicious website, the javascript within can connect to that websocket and issue keystrokes that look like you typed them in yourself. Think opening a commandline and being able to write anything there to be executed immediately ... like removing your Documents-Folder or installing a backdoor etc. Only the imagination of the attacker is limiting him here.

that's arguably a lot worse than a keylogger... 

She/Her

MacBook Pro 13" Early 2015 | i5 5257U | Intel Iris 6100 | 8GB Ram | 120GB SSD | macOS Monterey

Link to comment
Share on other sites

Link to post
Share on other sites

Insecure, yes, but also convenient. Until malware exploits it and installs ransomware and you lose everything on your computer. But until then, pretty convenient.

Link to comment
Share on other sites

Link to post
Share on other sites

57 minutes ago, Olllllli said:

So can I find the service in "Services", and if so, the name is "Logitech Options"?

 

It should be LogiOptions.exe. Get a copy of AutoRuns from MS's development website and disable it. Options doesn't have to actually run all of the time and it really does very little. 

Link to comment
Share on other sites

Link to post
Share on other sites

Setpoint didn't need to link up to the internet to do its thing...so why does its replacement need the internet?

"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Arika S said:

Question: Why is keyboard software even connected to the internet?

Probably to check for software updates.

The ability to google properly is a skill of its own. 

Link to comment
Share on other sites

Link to post
Share on other sites

I only use the Logitech Gaming Software for both my keyboard and mouse, sooooo.... Is Options (terrible name) for people who buy the non-gaming peripherals of Logitech?

CPU: AMD Ryzen 3600 / GPU: Radeon HD7970 GHz 3GB with Noctua Fans / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 11 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

40 minutes ago, TetraSky said:

I only use the Logitech Gaming Software for both my keyboard and mouse, sooooo.... Is Options (terrible name) for people who buy the non-gaming peripherals of Logitech?

Yeah. It used to be Logitech setpoint, but now it seems that the newest peripherals get the logitech options.

But logitech gaming products use the logitech gaming program.

I only see your reply if you @ me.

Link to comment
Share on other sites

Link to post
Share on other sites

40 minutes ago, TetraSky said:

I only use the Logitech Gaming Software for both my keyboard and mouse, sooooo.... Is Options (terrible name) for people who buy the non-gaming peripherals of Logitech?

Yes. I think if you had a number of wireless devices from Logitech, it'd be a lot more useful. However, in our space, we see more of the Gaming parts. 

Link to comment
Share on other sites

Link to post
Share on other sites

I think they have done this to allow to control another PC with the connected mouse and keyboard, a feature that Logitech offers to select peripheral like the: MX Master 2S. This is the same system (but more primitive) than Microsoft's Mouse Without Borders or InputDirector or Synergy, as example of similar apps.

Logitech calls theirs: Logitech Flow

 

Usually, these type of software requires a code to be used to encrypt the connection or secure in some ways.

However, Logitech Options has none of that, making the setup experience easier to get started. But.. well... I guess... not secured.

 

The article points to Logitech Craft Keyboard knob thingy that it has (Logitech Crown) saying that he guesses it is from that... but I think it has more to do with the Logitech Flow feature as it would make more sense.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, GoodBytes said:

I think they have done this to allow to control another PC with the connected mouse and keyboard, a feature that Logitech offers to select peripheral like the: MX Master 2S. This is the same system (but more primitive) than Microsoft's Mouse Without Borders or InputDirector or Synergy, as example of similar apps.

Logitech calls theirs: Logitech Flow

 

Usually, these type of software requires a code to be used to encrypt the connection or secure in some ways.

However, Logitech Options has none of that, making the setup experience easier to get started. But.. well... I guess... not secured.

 

The article points to Logitech Craft Keyboard knob thingy that it has (Logitech Crown) saying that he guesses it is from that... but I think it has more to do with the Logitech Flow feature as it would make more sense.

Hmm.... following that logic all devices that use Logitech Flow must have "Options" installed? Does Logitech offer "Options" for MacOS as well? If so, Mac-Users might have the same bug there.

(Digging on Logitechs' Website ...)

Ooookay, there IS an "Options" for MacOS as well. Can somebody check for an open websocket on port 10134 under MacOS with "Logitech Options" installed?

Edited by Questargon
Remove unneccessary comment about the Logitech Website.

CPU Ryzen 5 3600 | MoBo Asus Prime X470-Pro | RAM 16GB Vengance RGB@3600/18 | GPU EVGA GTX 1070 SC Gaming | Case Enthoo Pro M SE
PSU bq! Pure Power 10 500W CM | Cooling Scythe Kabuto 3 & Cryorig QF120, 5x Arctic F14 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) DELL 2001FP, DELL 2407WFP, LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 10

Link to comment
Share on other sites

Link to post
Share on other sites

Just a quick question; does this affect Logitech Gaming Software users? I've read through everything here but I am still a bit confused.

Who needs fancy graphics and high resolutions when you can get a 60 FPS frame rate on iGPUs?

Link to comment
Share on other sites

Link to post
Share on other sites

>inb4 pewdiepie fans hack keyboards asking to subscribe.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, Arika S said:

Question: Why is keyboard software even connected to the internet?

Updates. Constant updates.

Come Bloody Angel

Break off your chains

And look what I've found in the dirt.

 

Pale battered body

Seems she was struggling

Something is wrong with this world.

 

Fierce Bloody Angel

The blood is on your hands

Why did you come to this world?

 

Everybody turns to dust.

 

Everybody turns to dust.

 

The blood is on your hands.

 

The blood is on your hands!

 

Pyo.

Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, DrDerp said:

Just a quick question; does this affect Logitech Gaming Software users? I've read through everything here but I am still a bit confused.

I have the Logitech gaming software running and have no application listening on TCP 10143

Intel i7 5820K (4.5 GHz) | MSI X99A MPower | 32 GB Kingston HyperX Fury 2666MHz | Asus RoG STRIX GTX 1080ti OC | Samsung 951 m.2 nVME 512GB | Crucial MX200 1000GB | Western Digital Caviar Black 2000GB | Noctua NH-D15 | Fractal Define R5 | Seasonic 860 Platinum | Logitech G910 | Sennheiser 599 | Blue Yeti | Logitech G502

 

Nikon D500 | Nikon 300mm f/4 PF  | Nikon 200-500 f/5.6 | Nikon 50mm f/1.8 | Tamron 70-210 f/4 VCII | Sigma 10-20 f/3.5 | Nikon 17-55 f/2.8 | Tamron 90mm F2.8 SP Di VC USD Macro | Neewer 750II

Link to comment
Share on other sites

Link to post
Share on other sites

Please note that if you upgrade to the New Logitech Options.

Logitech does something similar to Microsoft with force account creation.

Click the "X", which suggest closing the program, but really will "skip" the account creation/login phase.

 

Capture.PNG.523c9bf357d5a3fb4dc7903736c08f14.PNG

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/13/2018 at 4:56 AM, Arika S said:

Question: Why is keyboard software even connected to the internet?

I did it once for some interactive room lighting effects using an ESP8266 connected to my wifi. Though the point still stands that there is no authentication for this web socket.

 

Hell, you could do these yourselves. There's a built-in ESP8266 inside these things with pins exposed.

 https://www.itead.cc/sonoff-wifi-wireless-switch.html

Your resident osu! player, destroyer of keyboards.

Link to comment
Share on other sites

Link to post
Share on other sites

Looks like the latest version of Logitech Options did not fix the flaw yet.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

Intel Xeon E5 1650 v3 @ 3.5GHz 6C:12T / CM212 Evo / Asus X99 Deluxe / 16GB (4x4GB) DDR4 3000 Trident-Z / Samsung 850 Pro 256GB / Intel 335 240GB / WD Red 2 & 3TB / Antec 850w / RTX 2070 / Win10 Pro x64

HP Envy X360 15: Intel Core i5 8250U @ 1.6GHz 4C:8T / 8GB DDR4 / Intel UHD620 + Nvidia GeForce MX150 4GB / Intel 120GB SSD / Win10 Pro x64

 

HP Envy x360 BP series Intel 8th gen

AMD ThreadRipper 2!

5820K & 6800K 3-way SLI mobo support list

 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×