Keyboard customization software, particularly from mainstream keyboard brands, is already a bit of a racket. Most are either too bloated for daily use or ask you to sign up for an account before you can configure anything. Razer and SteelSeries both offer software like this for their lineups of gaming peripherals and keyboards, and now they’re both under fire for having exploitive zero-day vulnerabilities.
Security researcher jonhat on Twitter said they discovered that plugging a Razer peripheral into a Windows 10 PC gives the user complete system privileges on that machine, despite admin status. System privileges are effectively the highest access you can gain to a Windows PC. Usually, that access is reserved for the owner of the laptop or computer. But in this case, anyone could theoretically walk by, plug in a Razer mouse, and install anything they want—including malware.
BleepingComputer tested the vulnerability to confirm it. After plugging in a Razer mouse, it took about two minutes to gain full system privileges in Windows 10. The mouse is programmed to automatically install the appropriate Razer driver and the accompanying Synapse software once it’s plugged in. Synapse is what lets you change the background lighting and program the abilities of a Razer keyboard or mouse. It’s also an additional opportunity for Razer to sell you on the perks of choosing its accessories, which is why the company wants the software to install immediately upon purchase.
For its part, Razer reached out to the original security researcher to confirm it’s currently working on a fix to address these issues. Razer also responded separately to The Register: “We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine.”
It’s a similar case for gaming keyboard and mice maker SteelSeries, which makes SteelSeries Engine software to change lighting and program macros on select SteelSeries keyboards. This includes the Apex Pro, which is one of Gizmodo’s top mechanical gaming keyboards because of its adjustable actuation. But to enable that ability, you need the software.
Security researcher Lawrence Amer found the SteelSeries Engine software can also be exploited to obtain administrative rights. It has a similar vulnerability to Razer’s that allows Command Prompt access in Windows 10 with complete admin ability—which is possible simply from plugging in a SteelSeries keyboard. In a response to BleepingComputer, SteelSeries said it’s aware of the issue and that it’s “proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in.”
This isn’t the first time that Razer has faced scrutiny for not protecting its users. Other peripheral makers, like Das Keyboard and Logitech, have also had security flaws within their respective software. It’s frustrating for users who are faced with no other choice for customizing pricey keyboards and mice. There aren’t many open-source options available, and the ones that exist tend to be geared toward independent keyboard and peripheral manufacturers.
The other issue here is that Windows allows this kind of access simply by connecting a peripheral. You might have chosen a specific type of keyboard or mouse for your computer, but merely plugging in a device shouldn’t mean automatic consent to software with administrative-level access. Razer and SteelSeries would have both been better off pointing you to download the software from their respective websites. At least that way, there’s an illusion of choice.