Logitech Updates 'Options' Customisation App to Fix Security Flaw Allowing Keystroke Injection Attacks

Logitech Options, the app that is designed to enable customisation of Logitech mice, keyboards, or touchpads, has now received a security patch. The patch essentially fixes a security flaw that was allowing attackers to inject arbitrary keystrokes and send system commands - all through gaining remote access. Google's Project Zero security team intimated the Logitech team about the bug back in September. However, Logitech released Options 7.00.564 on Friday to ultimately address security concerns. A Google security researcher had already detailed the flaw in a bug report, before the patch arrived, thanks to the 90 days deadline expiring.

Google security researcher Tavis Ormandy in his bug report states that the Logitech Options was opening a WebSocket server on systems on which it's installed without any origin checking process. That made the app vulnerable to keystroke injection attacks. "The only 'authentication' is that you have to provide a PID [process ID] of a process owned by your user, but you get unlimited guesses so you can bruteforce it in microseconds," explained Ormandy in the report.

"After that, you can send commands and options, configure the 'crown' to send arbitrary keystrokes, etc, etc."

Alongside raising the bug report, Ormandy personally reported the issue to the Logitech engineers in mid-September. Logitech acknowledged the flaw soon upon receiving its report. However, the company took over three months to bring its patch - more than Google Project Zero's 90-day deadline for public disclosure. It did bring an updated Options app on October 1, but that update didn't include any fixes for the reported security issues, as the security researcher wrote in a comment to his bug report on the Chromium site.

"This now past deadline, so making public," said Ormandy. "I would recommend disabling Logitech Options until an update is available."

Soon after the bug report became public, it gained some attention among security researchers and finally pushed Logitech to release the patch.

"The release of Logitech Options 7.00, which addresses Origin checks and type checking, is now live and can be downloaded for Windows and Mac," Logitech tweeted on Friday to confirm the fix.

You can download the updated Options app on your PC to start customising your Logitech mouse, keyboard, or touchpad. The app supports devices such as MX Vertical, MX Ergo, MX Anywhere 2S, K600 TV Keyboard, MK850 Performance, MK540 Advanced, and MX900 Performance Combo for customisations.