Updated with comment from SteelSeries.
A day after the world learned that Razer gaming mice could be used to take over Windows PCs, there's news that the same trick works with SteelSeries gaming keyboards, mice, headsets and even mousepads.
As with the Razer mice, it's actually the Windows desktop application that causes the trouble. That's because it gets system-wide privileges during installation without first asking for a system administrator's permission.
- Razer mice could let strangers take over your Windows 10 PC
- Our picks for the best gaming keyboards
- Plus: Hundreds of thousands of home Wi-Fi routers under attack — what to do
This flaw was discovered by security researcher Lawrence Amer, who was inspired by the Razer issue.
it is not only about @Razer.. it is possible for all.. just another priv_escalation with @SteelSeries https://t.co/S2sIa1Lvjv pic.twitter.com/E3NPQnxqo2August 23, 2021
A malicious human using — or malware that's already running on — a Windows 10 (and presumably Windows 11) PC as a low-level user during the installation process can leverage this flaw to gain full system control.
In cybersecurity terms, this is called privilege escalation or escalation/elevation of privileges. It's when processes or users gain powers they shouldn't have.
However, this flaw isn't the fault of SteelSeries or Razer. Those companies are just trying to get their software installed quickly.
This is instead a Microsoft issue, because Windows isn't distinguishing between hardware drivers (which normally don't need admin permissions to install) and peripheral-related desktop software (which should need admin permission).
Microsoft needs to fix this privilege-escalation situation before more problems like this pop up, as they almost certainly will.
What you can do about this
To avoid having your PC pwned by gaming peripherals, make sure you lock the screen of your workplace PC when you step away from your desk.
Home PCs are under less threat from this kind of attack, due to there being fewer potential users around. But you might want to shut off your PC when you've got a lot of company over.
To really make sure this can't happen to your machine, log on as an administrator, go to System > Settings > About and click the Advanced System Settings link. This will spawn a box labeled "System Properties". Select the Hardware tab, then click the button "Device Installation Settings".
In the pop-up window that follows, title "Do you want to automatically download manufacturers' apps and custom icons for available for your devices?", Select the radio button labeled "No (your device might not work as expected)".
As you might imagine, taking this more severe route might make installing new hardware — not just gaming mice and keyboards, but also printers, headphones and even USB security keys — a bit more arduous, although not impossible. (Thanks to Paul Ducklin over at Sophos' Naked Security blog for showing us how to do this.)
How this "hack" works
Normally, installing a system-wide application requires admin permission before the process can begin. That's what happens when you download SteelSeries or Razer Synapse desktop software from the company websites and try to install it.
You're prompted with either a request for your OK (if you're already running Windows as an admin), or a request for an administrator's password (if you're a limited user).
But in the case of these gaming peripherals, or their wireless dongles, just plugging one of them into a Windows machine for the first time gets Windows looking online for the required driver software — and the optional companion desktop app. The desktop software is downloaded and the installation process begins WITHOUT any administrator permission needed.
While the installation process is running, you can open links from the installer interface to open File Explorer windows. Then you can right-click those File Explorer windows to open a command-line window, as you can do in any Explorer window.
But in this case, that command-line window will be running with full system privileges, and the power to install, delete or alter any file or program on the entire PC.
That's one mighty tiny dongle
All an attacker needs to pull this off is the tiny USB dongle of a Razer or SteelSeries wireless mouse or keyboard.
In fact, an Android-based tool has already been created that can fool PCs into thinking a Razer or SteelSeries device is plugged in. Someone armed with that tool can connect their phone to the USB port of any Windows machine in a workplace to gain full system privileges, and a valuable foothold in the corporate network.
It also wouldn't be that difficult to reprogram ordinary USB sticks so that a PC would think they are Razer or SteelSeries dongles. You could then drop them in a company parking lot with the expectation that some curious employee would plug one in.
Again, what Microsoft needs to do is make Windows tell the difference between a necessary device driver and an optional application that accompanies the device. Right now it treats both the same way.
Windows could also require admin permission before installing device drivers, which is probably what it should have been doing all along.
Update: Comment from SteelSeries
A spokesperson for SteelSeries reached out to Tom's Guide and provided us with the following statement:
"We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon."
