How does Logitech Options software automatically launch from a mouse dongle?

Nic Hartley mentioned drivers. Windows 10 automatically installs drivers for unknown devices as soon as they are plugged in. If Windows does not have the driver for the device, it silently downloads the drivers online. Event if Windows does have the drivers, it still checks online for an updated version.
So, my theory is: that Windows downloads and installs the necessary drivers from Logitech. The Logitech driver then shows the popup to install the software.

You can test this theory by plugging the dongle into a Windows 10 PC that is not connected to the Internet and does not have the Logitech drivers installed.

If the popup is still shown, then try disabling the Logitech drivers in Device Manager.

Also, try using a tool like Sysinternals Process Explorer to find the process that created the Window. More information.


The Logitech driver is installed by windows 10 when the mouse is attached. In this driver then triggers the download of the logitech options software directly from Logitech. Same happens with HP printers when they are attached locally.

This is done mostly to prevent problems with old drivers in Windows Update, especially in combination with the rolling release model.

When Windows 10 gets an upgrade from one major version to another, a full new install is done and all devices are downloaded and installed again after update.


How did this process start? Additionally, this seems like an ideal attack vector for Windows machines. Can anyone provide some insight as to how the USB dongle (with no volume) can do this?

USB is already a well-known attack vector which is occasionally discussed (BadUSB for example). Is all the alarmism around BadUSB really called for with respect to host devices?

Even though a USB stick is not supposed to it might also claim to be a HID keyboard and issue commands as you. In the case of a keyboard/mouse dongle, this would not even appear to be suspicious; it already is a keyboard. Think start+r -> "\\?\volume{something-logitech-hardcoded}\autorun.exe"

Another less nefarious trick I have seen is to expose a virtual CD drive with an autorun, where they are generally slightly more trusted. Even in Windows 10, some form of AutoPlay does run by default.

Unfortunately, I do not have access to such a device so I can offer no specific insight about the exploit involved. One experiment might be to plug it into a computer and attempt to observe anything strange briefly appearing on the screen, guided by the insight above. Otherwise using the device explorer in by connection mode might help to reveal hidden functionalities (but not particularly hidden, the device could remove them after an attack). Determining the contents of the secret internal storage might be helpful. For example, does it have autorun files at all?

Tags:

Windows 10

Related

Why does WhatsApp not encrypt Google Drive backups? How can I prevent a user from copying files to another hard drive? Unknown automatically generated email in sent folder Does putting salt first make it easier for attacker to bruteforce the hash? Ability To Change Root User Password (Vulnerability?) Is using 'echo' to display attacker-controlled data on the terminal dangerous? Do mail servers follow links in emails as part of a security scan before inbox delivery? Is using haveibeenpwned to validate password strength rational? What are the risks of just clearing cookies instead of logging off? How is leaving a telephone on the ground a "classic anti-surveillance technique"? How bad would a partial hash leak be, realistically? Why is openssl complaining that my certificate chain is self-signed?

Recent Posts