Recently, a white hat hacker discovered an odd exploit which allows you to give yourself full admin rights on a Windows 10 PC just by plugging in a Razer mouse and installing Razer Synapse. It turns out it's not just Razer products that can do this, though.
Best CPU for gaming: the top chips from Intel and AMD
Best graphics card: your perfect pixel-pusher awaits
Best SSD for gaming: get into the game ahead of the rest
Twitter user @zux0x3a discovered a similar exploit with SteelSeries headsets, mice, and keyboards. Like with the Razer products, the problem lies with the hardware's proprietary software that gives itself system-wide privileges without asking for the system administrator's permission. Theoretically, someone could go to your workplace PC when you're not around and plug in the dongle for a wireless Razer or SteelSeries mouse, install Synapse or SteelSeriesGG, and gain full system privileges, which could wreak havoc on a corporate network if they mean to do harm.
it is not only about @Razer.. it is possible for all.. just another priv_escalation with @SteelSeries https://t.co/S2sIa1Lvjv pic.twitter.com/E3NPQnxqo2August 23, 2021
Initially, the fault was thought to be with Razer or SteelSeries. But as Tom's Guide points out, this is more of a Windows issue: It can't distinguish between hardware drivers (things that usually don't need admin permissions) and peripheral software (which do).
For the moment, the recommendation if you want your PC to be locally secure (this only works if someone has physical access) is to make sure your screen is locked while you're away, and to find the Windows Device Installations Settings prompt (search for it from the Start menu) where you can tell Windows not to automatically download hardware manufacturer apps and custom icons. (With that setting turned off, you may run into minor issues the next time you plug in a new device.)
A spokesperson for SteelSeries told to our friends over at Tom's Guide:
"We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit, and we are working on a software update that will address the issue permanently and be released soon."