#Windows 10’s Security Falls Apart When You Plug In a Razer Mouse or Keyboard – Review Geek

“#Windows 10’s Security Falls Apart When You Plug In a Razer Mouse or Keyboard – Review Geek”

Razer Viper 8K gaming mouse with blue and green lights shining on it — Razer

Some Windows exploits require computing expertise, dedication to craft, and a ton of free time. But everyone who went to hacker bootcamp should have focused on gaming instead, because it turns out that all you need to gain local admin access on Windows 10 PC is a Razer mouse or keyboard.

As reported by BleepingComputer, a security researcher named jonhat discovered that plugging a Razer peripheral (or wireless dongle) into a computer triggers the Razer Synapse software installer under SYSTEM privileges. If you manually select a destination for the software, you can then Shift and Right-click to open a PowerShell window. This PowerShell window will have SYSTEM privileges because it’s running with the Synapse installer.

SYSTEM privileges are just as scary as they sound. They’re the highest level of privileges on a Windows device and open the door to all possible exploits. Unfortunately, Razer did not respond to jonhat’s bug submission, so he made the hack public on Twitter.

Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here’s a freebie pic.twitter.com/xDkl87RCmz

— jonhat (@j0nh4t) August 21, 2021

Of course, this exploit only works when you have in-person access to a Windows 10 PC. And even then, you need to get past the lock screen first. That could limit the uses for this exploit to computers at businesses, libraries, schools, and other facilities (for better or worse).

Razer has since addressed the issue and claims to have limited the bug’s usability. A future update will solve the problem, though this entire issue raises one big question—do other peripherals create similar vulnerabilities? Razer isn’t the only company that sells USB devices with automatic installers, after all.

If you find any other vulnerabilities in Razer’s software, reach out to the company on Inspectiv. Razer offered jonhat a bounty for his findings, so your snooping could pay off.

Source: jonhat via BleepingComputer

If you liked the article, do not forget to share it with your friends. Follow us on Google News too, click on the star and choose us from your favorites.