USB Devices Could Steal Data

Thursday, July 8, 2010 @ 02:07 PM gHale

Almost all USB-connected devices, such as mice and printers, can actually end up being tools for data theft, according to a team that exploited the flaw.
So, does do you know if the keyboard or mouse you are using today is the one you used yesterday, or the day before? Someone could have swapped it for a compromised device that could transmit data to a snooper.

The potential problem stems from a shortcoming in the way the Universal Serial Bus (USB) works. This shortcoming could result in the device becoming a hardware trojan.
Until now, expert thought hardware trojans were just modified circuits where if hackers managed to get hold of a microchip when was still in the factory, they could introduce subtle changes allowing them to crash the device the chip gets built into.
Computer engineers John Clark, Sylvain Leblanc and Scott Knight at the Royal Military College of Canada in Kingston, Ontario, wondered if a hardware trojan attack could occur by other means. They felt the easiest way to introduce a hardware trojan might be via a computer’s USB ports.
The trio found they could exploit a weakness in USB’s plug-and-play functionality. The USB protocol trusts any device plugged in to report its identity correctly. But find out the make and model of a target user’s keyboard, say, swap it with a compromised device that reports the same information and the computer won’t realize what is going on.
Swap a USB keyboard for a device that reports the same model number, and the computer won’t know
The team designed a USB keyboard containing a circuit that successfully stole data from the hard drive and transmitted it in two ways: by flashing an LED, Morse-code style, and by encoding data as a subtle warbling output from the sound card. They could have chosen more efficient methods to transmit the data, such as email, but Leblanc said their main goal was to see if they could steal data without anyone noticing.
Security software, if it checks USB devices at all, tends to look only for malware on USB memory sticks.
“This work opens many cans of worms,” said Vasilios Katos, a computer scientist at the Democritus University of Thrace in Greece. “A USB device cannot now be trusted; it may have hidden processing capabilities.”

Leave a Reply

You must be logged in to post a comment.