1. Your OS installs malware (technically manufacturers software) from a 3rd party vendor in background, zero user interaction
2. Happens as soon as you or anyone with physical access plug in a device into the HDMI port
3. That malware has internet and full system access, no sandboxing
4. It starts with every system boot
5. This software gets installed when you plug in a new LG monitor
6. OR ALREADY HAD AN OLDER LG MONITOR PLUGGED IN, BECAUSE LG APPARENTLY ROLLED THIS OUT FOR MANY OLDER MODELS TOO!!
7. And yes, if you think that's horrendous, as mentioned in the video below, that also applies to 'Professional' LG monitors!
This situation has.. no precedent as far as I can tell..GamersNexus has a video diving deeper into what LG did here - https://www.youtube.com/watch?v=Q9uefFYe6bM
Printer, mouse, tablet and display tablet makers use this to insert their crapware since at least Windows Vista or Windows 7, I think. The last one I remember is plugging a Razer mouse just to watch it instantly pulling 1.5GB of bloated junk with "telemetry" exfiltrating the data from my gaming PC in realtime. At least it doesn't leave my mouse in a non-working state when I disconnect the internet, like it used to. Thanks, Razer!
Microsoft is to blame here, really. They have a mechanism to block any vendor (supposedly to avoid reputational risks to their brand due to buggy drivers, at least that was their excuse back in the day), but aren't even using it to block these contraptions. Entire businesses are built on this, e.g. Razer is probably more of a marketing/data company now rather than a hardware shop.
Microsoft has been allowing this sort of ludicrous behavior for decades at this point, it's not a new issue. What's new is how visible LG made their malware, compared to previous auto-installs that happen like this, where they try to make the thing not so in your face, as they know there will be a huge backlash.
I don't know what Microsoft is thinking even allowing and enabling this sort of thing, they've lost all touch when it comes to building things for users.
The USB protocol does not have any authentication, just a VendorID/ProductID pair: 2×16 bits that Windows uses for looking up the driver package to install. Programming a MCU to use any VendorID/ProductID is straightforward. A USB device could even appear innocuous at first but after a timer or external trigger disconnect and reconnect masquerading as another device.
1. https://arstechnica.com/information-technology/2021/08/need-...
- https://support.microsoft.com/en-us/windows/hardware/drivers...: “Windows can automatically download recommended drivers for the hardware and devices connected to a system by using Windows Update“
- eight years ago: https://www.reddit.com/r/Windows10/comments/8tlre3/why_is_it...: “I can't seem to stop it from installing device drivers, even after unchecking the 'Do you want to automatically download manufacturers' apps and custom icons available for your devices?' and saving.
I uncheck it, reboot. Uninstall all drivers except USB (so I can use mouse and keyboard) and reboot. Aproximately two minutes after the reboot, I get notification ballons telling me everything is installed again. Heck, even the super old Nvidia 388.1 driver is installed (the latest now is 393.2).”
You got a lot of replies already, but there's so much precedent. Plugging a Logitech mouse installs a network capable, autolaunch capable, pop up app for at least the past 10 years. LG's thing seems grodier, but this has been common Windows-ism for a while.
depending on how you look at it it has quite a bit of precedence as this falls under a long list of MS shipping "intended behavior most security researcher would assign a CVE and require it to be fixed as min. requirement for Windows usage in any company"
other wtf. microslop cases include:
- "install arbitrary software w. admin rights hooks" in BIOS which theoretically is there to install BIOS update software but there had been cases of 1. it installing other unwanted software, 2. the updater not fulfilling most minimal security standards (i.e. similar, due to 2. maybe even worse then the monitor case)
- "on boot without password requirement boot arbitrary stuff from a USB stick if correctly named" allowing a trivial bypass of TPM based full disk encryption, yes different thing but another "MS without authentication runs potentially harmful 3rd party software"
- "init scripts on USB devices", I think they stopped doing that
- ...
given that Microsofts security researchers are definitely _not_ incompetent idiots, you can safely assume that all of this features where implemented knowing what user hostile hazards they are and against their own security teams recommendations (or bypassing that team knowing they would say "wtf. no", or similar)
most absurdly MS has in all of this cases enough means to enforce a "just drivers no ad-ware/spy-ware or you get banned" policy, and could do it in a way where they still allow non-allow-listed/ban-listed hooks to be run iff the user consented to it with appropriate warnings and "remember this decision" functionality in case they say no (which besides other aspects might be relevant from a "not steeping onto anti-trust landmines" POV, through mostly older judgements as the US kinda moved from hindering oligopoly to pushing for it).
combine that with the huge f*-up of Azure in the past and their systematic mishandling of it, and no indication they will change this behavior, I really don't understand how any Company/Government agency could trust them
Buying from companies you trust isn't a solution either. Founders sometimes get into fatal car accidents or lose some of their assets in messy divorces. THe new owners may not care about "brand reputation" and sell the company to the highest bidder.
Edit: To be fair, I immediately uninstalled it, so I don't know if this was "just" a link to their installer app or the full app. But something definitely got downloaded and moved to a place I could not have moved it myself without accepting a UAC prompt m
Just think about how many times hardware manufactures told customers to buy new equipment because they can't be bothered to patch the older models.
After start menu ads, I don't understand why people are being surprised anymore.
I want to believe you, but somehow I can't, I feel like our industry has already mastered the art of installing malware on customers' devices.
I'm still looking at my 10 year-old LG monitor with suspicion, now, but I'm thinking (hoping) it's just too old...
The bit I don’t understand is Microsoft making an infrastructure that allows this, lets shine the shame light here.
No, this has been going on for years. Vendors have been pushing malicious software through the Windows Update automatic driver installation since forever. MSI and Nahimic/A-Volute (this has watchdog daemon to instantly reinstall it as well as the main app protecting the daemon), the ASUS Armory Crate bullshit, the Lenovo garbage, which initially they only put into their own images, but then started force-installing via Windows Update, Gigabyte, ... the list is really long.
If you have to use Windows, you really absolutely should disable driver installation through Windows Update.
It's not quite as bad because it's not silent and you can say no, but I'm pretty sure that's only because Razor decided not to be completely evil.
When will people understand that malware is signed by the vendor ?
It’s not unprecedented at all for Microsoft or anyone to download what amounts to spyware.
The days of antivirus were replaced by advertising a long time ago. There is no privacy.
Most savvy types are hyper aware of every process running on their machine especially those using network lol
Kill the process or don’t by an LG. Everyone just uses Dell, or you’re rich and you get a Mac one. I don’t make the rules