First cab off that rank should be input devices, because what sort of maniac thinks the advantages of a roaming cloud-based configuration outweighs the potential explosion in surface area to attack and compromise? That maniac is called Razer, and it has been connecting keyboards to its Synapse software for years.
At last week’s CES, Razer took it a step further when it announced it is adding support for users to use Alexa to control their peripherals.
“Alexa, ask Chroma to change my lighting profile to FPS mode,” Razer cheerily proclaims as an example of its upcoming functionality.
For this to work, the software that usually controls keyboard and mice settings needs to be connected to Amazon Alexa.
It’s a 2-for-1 cloud connection, because once you embrace the idea of Razer’s servers being secure, then you’ve already accepted a more risky proposition than using just Amazon.
Last month, Razer faced blowback when it launched a cryptocurrency mining application called Cortex, where users would be rewarded with its Silver funny money.
“The new app to put snoozing machines to work, solving blockchain puzzles in the background in exchange for sweet, sweet Silver,” Razer said at the time.
Enter Tavis Ormandy, security researcher for Google Project Zero and scourge of buggy software makers, who took a look at the software and was stunned.
“Holy moly, I just installed this. WHY IS CEF (chromium embedded) REMOTE DEBUGGING ENABLED AND LISTENING BY DEFAULT (!?!?!?!),” Ormandy tweeted.
“I don’t have any razer hardware to test, but they probably (like, *right now*) need to fix that.”
To Razer’s credit, the company fixed the issue within 24 hours; on the other hand, it allowed remote command execution in the first place.
Also in Razer’s favour is that it acknowledged it was responsible, which is more than can be said for Gigabyte.
On December 18, SecureAuth detailed an exchange of when it discovered that software utilities for Gigabyte and Aorus motherboards had privilege escalation vulnerabilities.
“There is ring0 memcpy-like functionality … allowing a local attacker to take complete control of the affected system,” SecureAuth said.
In trying to resolve what was clearly a serious issue, the security company could not locate a proper contact within Gigabyte, and headed over to its technical support team.
“Gigabyte is a hardware company and they are not specialized in software,” Gigabyte told SecureAuth on two different occasions in May.
In the end, SecureAuth said Gigabyte eventually responded by saying its products did not have any issues.
If a vendor with the experience and sales of Gigabyte responds by denying responsibility for its software, it doesn’t bode well for smaller players.
Gigabyte should stop distributing software as long as it keeps on throwing out the excuse that it is a hardware company.
And it is no small matter, because the utilities that the Taiwanese manufacturer puts out are built to manipulate hardware settings, and flash BIOSes.
If a bad actor was looking for a shortcut into a modern Windows system, trying to find your way in via Microsoft’s code will be time wasting when the camembert-like underbelly of a modern system is likely to be crap software from peripheral makers.
That tactic is not new, but with connectivity exploding, things are likely to get worse before it gets better, as with most things in the cyber realm.