Your Accessories Just Aren't Safe Anymore

Better switch back to your old, yellowed PS/2 mouse. A trio of researchers have shown that USB devices represent in and of themselves a potential security risk. Your data will never be safe again!

Well, this is true and it isn’t. Would you notice if, say, your keyboard was switched out for another one? Potential data thieves would have a hard time replicating the filth patterns on my keyboard, that’s for sure. But say they did, successfully.

John Clark, Sylvian Leblanc and Scott Knight of the Royal Military College in Kingston, Ontario, Canada have discovered that there’s a rather simple exploit in the way a computer will automatically trust anything plugged into a USB port to report what it is – if it says it’s a keyboard, it must be a keyboard, obviously. But what if it’s not?

Clark, Leblanc and Knight took the liberty of finding out, creating a keyboard with a hardware trojan attached, and plugging it into a USB port. The device was programmed to steal data from the hard drive and transmit it via morse code on the devices LEDs, as well as a warbling sound made from the computer’s internal speaker. Y’know, for all those hackers who like to physically stand next to their victims. How useful. The team also confirmed they could have used other methods, such as email. That they didn’t may be ridiculous, but is not the point: “We’ve shown any USB device could contain a hardware trojan,” says Leblanc of the finding. “You could mount a hardware trojan attack with a USB coffee-cup warmer.” Touchée, Sylvian.

“This work opens many cans of worms,” said Vasilios Katos, a computer scientist at the Democritus University of Thrace. “A USB device cannot now be trusted – it may have hidden processing capabilities.”

True say. Better start keeping tabs on our USB devices, guys – my roommate could be trying to take me down as we speak.

Written by Ty Dunitz

Ty is an illustrator who stays up too late, and has to wear glasses. You can follow him on Twitter if you want to (@glitchritual), but he's just gonna throw your stupid PR crap in the garbage, so don't email him.
SEE MORE ARTICLES BY "Ty Dunitz"

Related posts
Comments

1 Comment »

 
#1
Rob
July 5th, 2010 at 9:41 am

Honestly, I find that really cool that it is possible to do that.

 

Name (required)

E-mail (required - never shown publicly)

Web-site

Your Comment