Research Finds That All USB Devices Can Be Used For Data Theft

rated by 0 users
This post has 9 Replies | 2 Followers

Top 10 Contributor
Posts 26,356
Points 1,191,585
Joined: Sep 2007
ForumsAdministrator
News Posted: Mon, Jul 5 2010 10:38 AM
Can your USB keyboard and mouse be trusted? Can anything that you plug into your USB port be trusted? In a word, no. It's something we all should have known by now, but the truth is finally coming out thanks to some new research on the matter. Security experts have known forever that USB flash drives and hard drives could contain malware and other viruses, but now we're learning that even strange USB peripherals such as coffee cup warmers and reading lights could also transmit harmful data.


Basically, the new research confirms that modified USB devices could be swapped without the knowledge of the end-user, and that modified device could be coded to steal data or otherwise compromise a computer. If you have a specific model of keyboard, for example, and a hacker replaces that with a hacked keyboard of the same model, your PC wouldn't immediately know the difference. This would allow the hacked keyboard to issue compromising commands to the host computer in order to accomplish data theft or implement other exploits.


As many experts have noted, this research opens up a new can of worms. Will this mean that all USB devices used by major companies will now need some other sort of protection? When think about how easy it is to swap a USB mouse or keyboard (among other things), you quickly realize just how easy it would be to compromise almost anything. Yikes.
  • | Post Points: 65
Top 50 Contributor
Posts 3,236
Points 37,910
Joined: Mar 2010
AKwyn replied on Mon, Jul 5 2010 12:24 PM

I have not heard about this beforehand nor have I seen anything about a USB keyboard logging the user's data or a weird device installing some keylogger onto a users computer. It's a bad day for any people who want to use these exploits for malicious uses because the major companies are going to plug up those holes faster then they can finish construction on the 55.

 

"The future starts with you; now start posting more!"

Top 500 Contributor
Posts 158
Points 1,735
Joined: Mar 2010

I too have never heard of this, but after reading it I wasn't surprised. Just think about how easy it is to update firmware on things that don't even store user-accessible data (and thus, apparently, no malicious data), things like routers and scanners and even optical drives, and you can see someone introducing a few dozen lines of malicious code pretty easily. On the other hand, if you've got such access to your intended target that you can switch around their keyboards, you're probably not going to bother hacking a much more difficult device since you're already "in." If you don't have that access, it's pretty difficult to get, and you'd have to resort to B&E since people who have data to protect don't leave their laptops alone in a public place. Thoughts?

  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Mon, Jul 5 2010 5:42 PM

The NewScientist "article" appears to be a bit of fluff meant to sell $20 copies of the actual paper from ScienceDirect. I encourage HH to not give this kind of press release any free exposure in the future.

Since it's impossible to comment on the actual scientific merits of the approach, given they don't give any technical details, it is possible to say this: Since when was a system ever secure from someone who had physical access? In-line keyloggers predate USB by quite a bit.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 50 Contributor
Posts 3,236
Points 37,910
Joined: Mar 2010
AKwyn replied on Mon, Jul 5 2010 10:03 PM

The only way it could work is if someone got somebody to install the malicious firmware to their keyboard or mouse and it starts logging the data. Or they can just target an individual, load the firmware flashing program with the malicious firmware on the flash drive and then do the same thing I described earlier. I don't think they can target it massively as most program updates come from the programs themselves, not emails.

 

"The future starts with you; now start posting more!"

  • | Post Points: 20
Top 500 Contributor
Posts 158
Points 1,735
Joined: Mar 2010

"The only way it could work is if someone got somebody to install the malicious firmware to their keyboard or mouse and it starts logging the data."

How, exactly? Sure, a keyboard can track data, but where is it going to store it? Mind, I'm talking about a basic keyboard, not something like the G15 that has memory to store hundreds of macros and whatever. No, you need a hardware keylogger (schematics easily available online) or a software keylogger. Using a keyboard with malicious code isn't the best way to introduce that software, and if you can tamper with it, why not just install a hardware keylogger? You can make one that goes between the keyboard plug and the mobo port, but someone with a bit more time and knowledge can hide it inside the keyboard.

Besides, if this really were such a threat, it would have been done already. Carrying on with Taylor's point about massively targeting, the only way to introduce malicious firmware code is to hit it at the source, where EVERYONE who needs it goes to download it: the manufacturer. And that's considerably more difficult than just sending out a bunch of infected emails. So in short: the statement "all USB devices can be used for data theft" is true, BUT so unlikely and complicated it will likely never pose a threat.

  • | Post Points: 20
Top 50 Contributor
Posts 3,236
Points 37,910
Joined: Mar 2010
AKwyn replied on Tue, Jul 6 2010 2:31 AM

Nethersprite:

Besides, if this really were such a threat, it would have been done already. Carrying on with Taylor's point about massively targeting, the only way to introduce malicious firmware code is to hit it at the source, where EVERYONE who needs it goes to download it: the manufacturer. And that's considerably more difficult than just sending out a bunch of infected emails. So in short: the statement "all USB devices can be used for data theft" is true, BUT so unlikely and complicated it will likely never pose a threat.

While it's true that you can include a hardware keylogger, it'll involve actual disassembly of the keyboard and It just doesn't work pratically if your victim is at work or at a place which is heavily watched.

Also this can work, the malicious code can be designed to access the memory or hard drive of the computer if it is designed to work like Plug and Play. The malicious driver can also access the system and stealthily install a program to email the keylogged results back to the malicious user. If coders can create drivers that can access Windows then who knows the possibilities.

 

"The future starts with you; now start posting more!"

  • | Post Points: 20
Top 500 Contributor
Posts 158
Points 1,735
Joined: Mar 2010

"While it's true that you can include a hardware keylogger, it'll involve actual disassembly of the keyboard and It just doesn't work pratically if your victim is at work or at a place which is heavily watched."

And that's exactly my point. Sorry if I'm beating a dead horse here, but that's what I originally said, that only someone with less restricted access to the target can do that. Even though you could buy a keyboard with the same model number and install a keylogger in that one, then just switch them up while posing as a technician (this route obviously avoids you taking the thing apart at the site), you can also use that opportunity for more conventional means of data theft.

"Also this can work, the malicious code can be designed to access the memory or hard drive of the computer if it is designed to work like Plug and Play."

Yes, that will work. Since an infected keyboard can keep track of the keystrokes, but neither store nor transmit that data to the attacker, using the infected keyboard to infect the computer is the best way to go. But again (sound of horse beating in background) using a USB device to introduce an AutoRun virus is much much easier. Just think about the nature of firmware: it's unique to that specific model. And that means the same failsafes designed to stop you from installing the wrong firmware can also act like an MD5sum to make sure the firmware hasn't been tampered with, say by comparing what you attempt to install, with a version stored on a ROM chip somewhere.

  • | Post Points: 20
Top 50 Contributor
Posts 3,236
Points 37,910
Joined: Mar 2010
AKwyn replied on Tue, Jul 6 2010 11:35 AM

Nethersprite:

And that's exactly my point. Sorry if I'm beating a dead horse here, but that's what I originally said, that only someone with less restricted access to the target can do that. Even though you could buy a keyboard with the same model number and install a keylogger in that one, then just switch them up while posing as a technician (this route obviously avoids you taking the thing apart at the site), you can also use that opportunity for more conventional means of data theft.

Well yeah, that can work if the keyboard is replaceable (aka buyable) and common but it doesn't work because there is a flaw. There will be a keyboard that is discontinued and if you can't find the exact model of the keyboard your worker has then you can't swap it out with the hardware key logger keyboard, also note that some businesses might use slightly more expensive (to you, cheap to them) keyboards. There's also the social engineering factor, people would truly need to be skilled in that area in order to successfully convince people that they're engineers.

Nethersprite:

Yes, that will work. Since an infected keyboard can keep track of the keystrokes, but neither store nor transmit that data to the attacker, using the infected keyboard to infect the computer is the best way to go. But again (sound of horse beating in background) using a USB device to introduce an AutoRun virus is much much easier. Just think about the nature of firmware: it's unique to that specific model. And that means the same failsafes designed to stop you from installing the wrong firmware can also act like an MD5sum to make sure the firmware hasn't been tampered with, say by comparing what you attempt to install, with a version stored on a ROM chip somewhere.

I don't know if it would work since people have been cracking down on the whole automatically running programs from any USB device since that debauchery happened. Though there might be a lucky few who have not heard a peep of it. That's why PnP drivers can somehow work in this equation, the device itself can access the memory and if somebody is lucky enough use develop a driver complex enough Windows itself to send out the victims keylogs to the malicious user himself. Also I don't think your idea of a failsafe would work. Anything that has something to do with sums, they can manipulate it so that it is exactly the same as the original version. If modified files can keep the same MD5sum as the original, what's a few hackers to do the same thing to USB firmware drivers.

 

"The future starts with you; now start posting more!"

  • | Post Points: 5
Top 150 Contributor
Posts 639
Points 7,630
Joined: Jul 2009

I seem to be saying this a lot lately, but... no new news. Ever since ATMs were developed, there have been scam machines-- sometimes full units sitting in public places that log your card number and PIN, sometimes add-ons to legitimate machines. The delivery agents who restock the machines can open them up and swap the card reader board with one that has memory to store card numbers, or add a piggyback reader to do the same job. Like in a casino, most of the theft comes from within.

This is one of the reasons I never (now that I have an iPod Touch) use public computers. I realize that the WiFi connection isn't safe as houses, but at a public terminal there are so many additional sources (and easier ones to run) for stealing information that it's just a bad idea, USB spying or no.


"I didn't cry when Bambi's mother was shot... but I cried when HAL was turned off."

  • | Post Points: 5
Page 1 of 1 (10 items) | RSS