3

I recently purchased a Logitech MX Master 2S mouse. I had no intention of installing the "options software" that came with the mouse. I simply desired a wireless mouse that wasn't cheap and flimsy.

However, after immediately plugging in the wireless USB dongle, some manner of custom software was able to run without my consent, displaying the following window above all other windows:

Logitech Options software

There is no USB volume listed in File Explorer, and to my knowledge autorun from USB is disabled. I was also unable to find an obvious process listed in the Task Manager.

How did this process start? Additionally this seems like an ideal attack vector for Windows machines. Can anyone provide some insight as to how the USB dongle (with no volume) can do this?

Update: There does not appear to be any built-in logical disk within the dongle, as running wmic logicaldisk get name and diskpart> list volume revealed no additional drives or partitions.

Lemonseed
  • 253
  • 1
  • 3
  • 8
  • 1
    USB is a great attack vector for all operating systems. The general principle is called an "evil maid" attack, and USB is great for it because USB devices can operate as keyboards, mice, hard drives, network devices, and literally anything. This makes it possible to create all sorts of havoc. This article explains much of this, and may also answer your question: https://www.schneier.com/blog/archives/2006/06/hacking_compute.html – Conor Mancone Jun 19 '19 at 17:13
  • Yes, I have heard of this attack vector before. Do you think that is the mechanism Logitech used here? Keyboard injection to run/install programs I don't want? – Lemonseed Jun 19 '19 at 18:35
  • It probably just used the autorun option baked into windows+USB (mentioned in the article). I'm not a windows person, which is why I'm not speculating more, but presumably the mouse also has a bit of storage built in which allows it to also act as a simple USB drive with an autorun option that you computer is picking up and executing. The article gives suggestions on disabling autorun, which you can google instructions for in Win10. If disabling autorun stops this then you pretty much have your answer (and can then even answer your own question if you want). – Conor Mancone Jun 19 '19 at 18:53
  • I don't believe it is autorun, as that is disabled. I also checked for a drive built into the dongle by using `wmic logicaldisk get name` and `diskpart > list volume` commands, but neither one showed any new storage device. So still stumped (and a little freaked out) how this program got run. – Lemonseed Jun 19 '19 at 19:25
  • Well then I'm afraid you'll have to wait for Tier 2 technical support, because this is outside my area of expertise and I've exhausted my limited knowledge :p – Conor Mancone Jun 19 '19 at 19:35
  • 1
    Just a comment because I'm genuinely not sure, but... is it possible this is some sort of special driver, registered with Windows? Still creepy, obviously, that software can be transparently downloaded and run on your machine, but mildly less creepy than _anyone_ being able to run _anything_. – Nic Jun 19 '19 at 20:11
  • @Nic I thought about that too, but I'd be thoroughly surprised if that non-standard, always-on-top "Logi"-branded dialog shipped with Windows (or subsequent updates). It looks like something Logitech marketing cooked up. Either way, agreed it is a creepy thing. I would still like to get to the bottom of it, if anyone knows how it works. – Lemonseed Jun 19 '19 at 20:53
  • I don't have one to play with, but I do have a **BashBunny**. I can set the BashBunny to be a keyboard and begin immediately issueing commands. If I watch Windows Settings Bluetooth & other devices, I can see the BashBunny show up as long as I don't set it to terminate after issuing commands. If I have it command and terminate, it's too quick to see in Settings. My gues is that logitech is doing something similar, but I don't know for sure. – user10216038 Jun 19 '19 at 21:30
  • 1
    @Lemonseed Per your update, it seems like a requirement that the mouse has built in storage that is running things. However, they probably built it in such a way that it is not generally available/visible to the computer, but rather just to the automated processes the mouse starts up when plugged in. I'm still guessing though - quite the mystery. I'll put up a bounty once sufficient time has passed. – Conor Mancone Jun 20 '19 at 12:09
  • Are you sure you have disabled all autoruns? Have you checked using the SysInternals Suite "autoruns" utility? (See: https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite). This suite of utilities from Microsoft will also be useful in determining the process of interest (procmon/procexplorer). – hft Jun 21 '19 at 17:32
  • Since there is the huge bounty it might help to un-accept my answer to see if anyone comes around with specific knowledge about this device! – trognanders Jun 21 '19 at 20:29

3 Answers3

7

Nic Hartley mentioned drivers. Windows 10 automatically installs drivers for unknown devices as soon as they are plugged in. If Windows does not have the driver for the device, it silently downloads the drivers online. Event if Windows does have the drivers, it still checks online for an updated version.
So, my theory is: that Windows downloads and installs the necessary drivers from Logitech. The Logitech driver then shows the popup to install the software.

You can test this theory by plugging the dongle into a Windows 10 PC that is not connected to the Internet and does not have the Logitech drivers installed.

If the popup is still shown, then try disabling the Logitech drivers in Device Manager.

Also, try using a tool like Sysinternals Process Explorer to find the process that created the Window. More information.

Kartik Soneji
  • 383
  • 1
  • 6
3

The Logitech driver is installed by windows 10 when the mouse is attached. In this driver then triggers the download of the logitech options software directly from Logitech. Same happens with HP printers when they are attached locally.

This is done mostly to prevent problems with old drivers in Windows Update, especially in combination with the rolling release model.

When Windows 10 gets an upgrade from one major version to another, a full new install is done and all devices are downloaded and installed again after update.

Stefan Lorenz
  • 151
  • 6
2

How did this process start? Additionally, this seems like an ideal attack vector for Windows machines. Can anyone provide some insight as to how the USB dongle (with no volume) can do this?

USB is already a well-known attack vector which is occasionally discussed (BadUSB for example). Is all the alarmism around BadUSB really called for with respect to host devices?

Even though a USB stick is not supposed to it might also claim to be a HID keyboard and issue commands as you. In the case of a keyboard/mouse dongle, this would not even appear to be suspicious; it already is a keyboard. Think start+r -> "\\?\volume{something-logitech-hardcoded}\autorun.exe"

Another less nefarious trick I have seen is to expose a virtual CD drive with an autorun, where they are generally slightly more trusted. Even in Windows 10, some form of AutoPlay does run by default.

Unfortunately, I do not have access to such a device so I can offer no specific insight about the exploit involved. One experiment might be to plug it into a computer and attempt to observe anything strange briefly appearing on the screen, guided by the insight above. Otherwise using the device explorer in by connection mode might help to reveal hidden functionalities (but not particularly hidden, the device could remove them after an attack). Determining the contents of the secret internal storage might be helpful. For example, does it have autorun files at all?

trognanders
  • 2,925
  • 1
  • 11
  • 12