USB coffee-cup warmer could be stealing your data

[HYBR|D]

ARE you sure that the keyboard or mouse you are using today is the one that was attached to your computer yesterday? It might have been swapped for a compromised device that could transmit data to a snooper.

The problem stems from a shortcoming in the way the Universal Serial Bus (USB) works. This allows almost all USB-connected devices, such as mice and printers, to be turned into tools for data theft, says a team that has exploited the flaw.
Welcome to the murky world of the "hardware trojan". Until now, hardware trojans were considered to be modified circuits. For example, if hackers manage to get hold of a microchip when it is still in the factory, they could introduce subtle changes allowing them to crash the device that the chip gets built into (New Scientist, 1 July 2009, p 18).

Computer engineers John Clark, Sylvain Leblanc and Scott Knight at the Royal Military College of Canada in Kingston, Ontario, wondered if a hardware trojan attack could be carried out by other means. They calculated that the easiest way to introduce a hardware trojan might be via a computer's USB ports.

The trio found they could exploit a weakness in USB's plug-and-play functionality. The USB protocol trusts any device being plugged in to report its identity correctly. But find out the make and model of a target user's keyboard, say, swap it with a compromised device that reports the same information - and that doesn't even have to be a keyboard - and the computer won't realise.

Swap a USB keyboard for a device that reports the same model number, and the computer won't know

The team designed a USB keyboard containing a circuit that successfully stole data from the hard drive and transmitted it in two ways: by flashing an LED, Morse-code style, and by encoding data as a subtle warbling output from the sound card (Future Generation Computer Systems, DOI: 10.1016/j.future.2010.04.008). They could have chosen more efficient methods to transmit the data, such as email, but Leblanc says their main goal was to see if they could steal data without anyone noticing.

"We've shown any USB device could contain a hardware trojan," he says. Security software, if it checks USB devices at all, tends to look only for malware on USB memory sticks.

"This work opens many cans of worms," says Vasilios Katos, a computer scientist at the Democritus University of Thrace in Greece. "A USB device cannot now be trusted - it may have hidden processing capabilities." He's right, says Leblanc. "You could mount a hardware trojan attack with a USB coffee-cup warmer."

[HYBR|D]

Woops, forgot to include the Source.

Code:

http://www.newscientist.com/article/mg20727676.300-usb-coffeecup-warmer-could-be-stealing-your-data

[SnugglesTheBear]

also be careful where you stick your USB!
http://risky.biz/big-wirus

PNP have given us a plethora of hilarious exploits. One of my favorites is a bank VP receiving a free palm pilot randomly and then plugging it into his computer, which then became infected all of a sudden >.< Sigh, most people will say 'if I see a USB stick on the ground I will take it home and plug it in.' Making road apples a very efficient way to grab a random box >.<

[nihil]

It looks as if the mitigating factor is the need for physical access as well as the right skills and equipment.

I haven't read anything about it recently, but there have been several articles on the potential for firmware trojans (CD/DVD/HDD/Videocard). I believe that this could be done remotely?

[gore]

also be careful where you stick your USB!

Your post wasn't EXACTLY what I thought first when I read that statement, but I think the end result is more or less the same. Brings a new thought to Butt Plugs though doesn't it?

[instronics]

Hello everyone

Very interesting indeed. Now i have a nooby question regarding this. Would this threat affect 'any' OS by default? Or would it be like viruses, that have to be individually created for a specific OS? This also might be affected by what kind of data is to be collected (hence a NIC might be different from a keyboard) etc....

Bottom line (to be a bit selfish here), would a slackware system be affected by the contents of this article, or would it have to be a very custom hardware device specifically 'for' slackware?

In addition... what do you folks recomend as a countermeasure?

Cheers.

[SnugglesTheBear]

Plug n Play is the main culprit. As long as you are not running that, you should be okay. Slackware by default does not have PnP running I do believe.

[nihil]

Hmmmmm,

Most of the answer is physical security and vigilance. For a human interface device you should notice that it has been substituted by a new one? and it would be nearly impossible to exactly match the individual characteristics that they soon pick up. Also a lot of my stuff would be hard for an attacker to find, either because of its age or obscure manufacturer.

As we are talking about hardware and firmware; then anything that will run on your system or in your environment will also run the malware as soon as it gets recognised by the BIOS. The mitigation here would be that as you are not running FAT* or NTFS, it probably wouldn't be able to do much, unless it can phone home or you have poor physical security that lets people at your systems unattended and with the ability to launch bootable media.

My basic point is that we are talking about the hardware level interface here, not the OS/application (user) level one, so Slackware won't protect you, even by obscurity.

A great mitigation is the fact that malware authors are percentage players and always go for the low hanging fruit. Most of the attacks we are discussing (apart from PnP) are just too much effort for them IMO.

Mostly I guess that this sort of stuff belongs in the realms of theoretical research, rather than real life, but I would be slightly more wary of publicly accessible systems nowadays?

Just my £0.01

[The-Spec]

Every country pays off some gook to sabotage parts. They do everything from adding extra undocumented opcodes to processors to adding lead based paints to foods. Anyone who uses these parts to create some "super-dooper secret usb spy device" would be an idiot.

[The-Spec]

When you see a James Bond movie... don't you ever find it funny how he carrys a swiss watch with lasers pointed at his wrists? Or drives these American/german sports cars that mysteriously explode on impact?