Razer mice and keyboards have administrator rights on Windows PCs.

Razer is a household name on our list of the best gaming mice and keyboards, but it turns out these serpentine peripherals have a pretty annoying hidden talent: just plug one in and install the Razer Synapse software is enough apparently enough to grant administrator rights to any Windows 10 or Windows 11 PC.

Twitter user Jonhat discovered the exploit, which Bleeping Computer could easily replicate. The problem is mainly due to the way Windows Update automatically downloads the Synapse software: since Windows Update has SYSTEM (i.e. administrator) privileges, it grants the same level of access to Synapse.

Where it can get really tricky is the Synapse installation. You or someone trying to get confused with your PC can open a PowerShell window from the installer – and since Windows has given Synapse administration authority, that also gives the PowerShell window administration right. Thanks to this daisy chain of dubious security, anyone who knows how to execute commands in PowerShell is essentially in control of the PC through the administrator.

While there is something darkly funny about a plastic RGB rodent that brings down someone’s otherwise locked rig, there’s obviously scope for some really nasty misuse here, from deleting important files to installing malware.

Do you need a local administrator and do you have physical access?
– Plug in a Razer mouse (or the dongle)
– Windows Update will download RazerInstaller as SYSTEM and run it
– Abuse elevated Explorer to open Powershell with Shift + Right click

I tried to contact @Razer but no responses. So here’s a freebie pic.twitter.com/xDkl87RCmz

– jonhat (@ j0nh4t) August 21, 2021

That said, it seems like a pretty straightforward exploit to protect yourself against. For one, it depends on the bad guy having physical access to your PC, and honestly, if he got to this stage at all, there are much worse things he could do with it. However, if you are concerned about leaving your PC unattended, you can always disable your system’s USB ports through Device Manager and enable them again when you return.

I’ll also start telling people that this is why I got rid of my last Razer mouse, and that it absolutely wasn’t because I left it on my desk like a during a miserable Deep Rock Galactic session huge baby man broke.

Comments are closed.