Update 8/25/2021 1:50 p.m. ET: A SteelSeries spokesperson told Tom's Hardware that SteelSeries is "aware of the issue identified" and "proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in."
"This immediately removes the opportunity for an exploit, and we are working on a software update that will address the issue permanently and be released soon," the spokesperson said.
Original article 8/25/2021 10:45 p.m. ET:
We have recently reported new vulnerabilities found with Razer devices. The Synapse software allows malicious actors to obtain admin rights in the Windows 10 operating system without any authentication. Today, a new report suggests that SteelSeries and its accompanying software for peripherals is also struck by the same type of exploit.
When security researchers found a vulnerability in Razer software, it seems to have opened Pandora's box. In fact, many peripheral makers like Razer and SteelSeries have been shipping software vulnerable to exploits that grant admin privileges to unauthorized users.
Lawrence Amer of 0xsp has discovered that Windows automatically downloads the accompanying software and installs it using admin rights when you plug a SteelSeries device into the computer. You have to agree to license rights during the install process, and that's where the exploit begins. There's a small "Learn more" button, leading to a link you open in Internet Explorer. In the upper right corner, there is a little cog that you can click for tools. From there, you can click File > Save and open the CMD window in admin mode from that file explorer. It's really just that simple.
it is not only about @Razer.. it is possible for all.. just another priv_escalation with @SteelSeries https://t.co/S2sIa1Lvjv pic.twitter.com/E3NPQnxqo2August 23, 2021
More concerning, another security researcher, an0n(@an0n_r0), has proven that it's possible to trigger the software download and installation of SteelSeries software even if you don't own a SteelSeries device. He just used his Android phone that mimicked the SteelSeries keyboard, all while using the USBgadget generator tool.
PoC video for the @SteelSeries LPE (similar to @Razer) using my Android phone (pretending to be a @SteelSeries USB keyboard. :))Using my improved USBgadget generator tool: https://t.co/Ss74xdySBg@SteelSeries LPE was found by https://t.co/QdSzZMhNER. More should follow... :) pic.twitter.com/pKLKRWD8vIAugust 24, 2021
This is concerning, but it could be worse. This exploit requires physical access, so most users don't have to worry about it. A potential attacker would need an unlocked home screen, which is not easy if the user has protected the computer with a password or any sort of authentication.
