Logitech Rushes to Fix a Serious Three-Months Old Bug on their Options App

• Logitech Options allowed Rubber Ducky attacks for over three months, although Logitech knew about it
• A Google researcher had reported it privately and was assured that a fix would be released soon back in September
• Logitech released a fixing version only after the matter gained publicity through Twitter

Tavis Ormandy, one of Google’s security researchers, had discovered a serious security vulnerability in Logitech’s Options back in September and reported it to the company privately. According to his findings, Logitech’s Options mouse and keyboard configuration suite were following a series of bad practices in its operation, possibly allowing for keystroke injection attacks.

More specifically, Ormandy discovered that Options was opening a WebSocket server on the user’s system, but without any consideration on implementing a security layer for that server, so it seamlessly supported intrusive commands. To make things worse, Options used a registry key to auto-launch on OS boot, while its authentication system featured no real security either. Ormandy filed a bug report, highlighting the fact that the “authentication can be brute-forced in microseconds”.

Once an attacker does that, the next step could potentially be to configure the “crown” to accept arbitrary keystrokes, or otherwise known as “Rubber Ducky attacks”. This type of attacks has been repeatedly used in the past by malicious hackers, and they involve a USB device that mimics the operation of a keyboard or mouse, typing keyboard shortcuts and commands as part of its spiteful code. This is a frightening scenario for the user, as the system looks like it’s gone rogue, doing its own thing without allowing much time to react.

In the same bug report, Ormandy mentions that he has had a meeting with Logitech engineers on September, and they assured him that they understood the issues and were planning to implement type checking and origin checking to Options. To Ormandy’s surprise, however, October’s release didn’t resolve any of the problems, so he publicized the bug and openly recommended the disabling of the suite until a fixing update becomes available. This only happened on December 11, a date that Ormandy defines as way past an acceptable deadline for fixing this problem.

The negative publicity gained momentum on Twitter, with people wondering how and why Logitech ignored such a severe bug for over three months, choosing to leave them vulnerable although they knew about it for so long. As a result, Logitech rushed an update (vn 7.00.564) which supposedly addresses the reported security issues, but this is yet to be confirmed by Ormandy.

Are you using Logitech Options to configure your mouse and keyboard? Would you trust the suite again in the future? Let us know of your opinion in the comments section below, and don’t forget to like and share this story on Facebook and Twitter.