A recent “hack” involving a Razer mouse shows what can happen if a new piece of hardware automatically downloads the required utility software: It can allow an attacker to take over a PC.
Late last week, security researcher “j0nh4t” showed that the RazerInstaller utility could be used to elevate privileges on a PC, giving an attacker total control. Essentially, all a user would need to do is attach a Razer mouse, wait for Razer’s utility software to download, and then run PowerShell. Using the technique that jonh4t described in his tweet, a guest account on a PC could obtain administrator status and control the PC.
To be fair, anytime an attacker has physical control of a PC, you’re at risk—that means the hacker is either seated at your desk or has stolen your laptop. The researcher also reported that Razer is busy working on a patch.
It’s not clear, however, whether Razer will address the fundamental issue: Yes, it’s convenient for Razer to automatically push its utility to your PC. On the other hand, when that happens, you never quite know what your PC will receive. (Protect yourself by using PCWorld’s recommended antivirus programs.) Asking the user to download Razer’s utility, rather than doing it for them, might be a step toward solving that problem.