Any USB Peripheral is a Potential Security Threat
Be careful what you stick it into.
The USB ports on a computer present a security risk. Not only are storage devices able to plug in and interface with the hardware, but also coffee cup warmers, fans, and even mini-vacuums.
A team of computer engineers from Royal Military College of Canada in Kingston, Ontario exploited a weakness in the USB plug-and-play functionality. What the team did was create a fake USB device that reported itself as something that computer already recognized.
For example, if the computer already paired itself with a USB camera, a hacker could spoof the same identity on another device.
As a proof of concept, the team designed a USB keyboard that contained a circuit that stole data from the hard drive and transmitted it by flashing an LED in a morse code-like fashion, as well as through sounds output by the sound card. While such methods are hugely inefficient and likely ineffective, it was just a proof of concept of the vulnerability.
Even though virus scanning software may check USB storage for malware, secretly planted trojans inside USB peripherals will likely be missed.
"We've shown any USB device could contain a hardware trojan," said Sylvain Leblanc, one of the engineers. "You could mount a hardware trojan attack with a USB coffee-cup warmer."
(source: New Scientist.)
- MS Addressing Google-Exposed Flaw Next Week
- AMD CPUs Used in "Predators" Special Effects
- Quanta Sets New Record for Laptop Shipments
- PowerColor Says Graphics Cards Are Too Heavy
- The Winners of Our June SBM Contest PCs
- Deals for July 8: Samsung Camera for $99.99
- Blizzard Responds to Concerns Over Real ID
- Report: New Intel Desktop Chips Coming Soon
- Lenovo: We're Lucky Steve Jobs Has Bad Temper
- Dell and Threadless Team Up for Funky Laptops
- Windows 7 64-bit Creeping Up on 32-bit Installs
- Intel May Soon Abandon Celeron Microprocessors
- Nvidia PhysX Software is Ancient, Slow for CPUs
- Microsoft Files Patent for Apple's iPad Page Turn
- Deals for July 12: More Laptops, Plus Free Gum
- Ballmer Promises Windows 7 Slates
- Spore-Based Action/RPG Revealed at Comic-Con
- eBay, Dell, HP Get Microsoft's Azure ''Appliance''
I guess my computer can get herpes from the USB stripper pole now? Anyone got a USB condom?
Stupid.
Never saw the point of USB coffee cup Warmers, my EX-Boss had one though, placed in front of his keyboard, missed one day and ended up drowning his KB!
I guess my computer can get herpes from the USB stripper pole now? Anyone got a USB condom?
Dose this count?
http://www.tomsguide.com/us/Ben-Ma [...] -7394.html
Had a client once who actually asked about a "remote" control USB vibrator. Would have been something to brag about if she had looked like almost anyone other than the Granny in Hoodwinked. As it was she was a major reason I got out of retail.
In other news from the Department of Obvious: There's Porn on the Internet!
Everything is a potential security threat when you run a swiss-cheese of an OS, like Windoze.
You're missing the point. Mafia types have all sorts of knock offs that they sell. It wouldn't be a strech for them to sell a fake MS Basic Opical mouse with a hardware trojan embedded. You would never know your system is comprimisd.
Great, next thing you know, keyboards come with firewalls and mice have built in anti-virus protection.
I can only imagine what the USB humping dog will bring to my computer O_O
why not just keep your computer away from people who like to do things like that? physical security over your things would fix this...
Lame...
So... should I have every USB port on my computer padlocked?
This is more a warning to companies. It's a proof of concept that someone can take the mass produced generic keyboards from Dell/HP/etc. embed a custom circuit and gain access to any PC where they can swap the keyboards. The next time the user logs in bang! full access to the PC.
So... should I have every USB port on my computer padlocked?
No, it means that you should be wary when using a thumb drive from an unknown brand or maker.
I want that usb pole dancer!
Everything is a potential security threat when you run a swiss-cheese of an OS, like Windoze.
I've seen a USB storage device that emulates a keyboard and mouse that was designed to install malware on any system it is plugged into. If the system automatically activates any USB-connected keyboards andthe active user's account can create/edit/execute any program (including .bat, .cmd, .vbs, .sh) then it is vulnerable. On most systems it can take over in about 3 seconds. It can't easily get root on a Linux system but can install keyloggers or exploit known daemon security holes. On Windows it can respond to the security dialogs.
THAT'S WHAT SHE SAID
I've seen a USB storage device that emulates a keyboard and mouse that was designed to install malware on any system it is plugged into. If the system automatically activates any USB-connected keyboards andthe active user's account can create/edit/execute any program (including .bat, .cmd, .vbs, .sh) then it is vulnerable. On most systems it can take over in about 3 seconds. It can't easily get root on a Linux system but can install keyloggers or exploit known daemon security holes. On Windows it can respond to the security dialogs.
Exactly, it's not that hard to hack a system if you actually get physical access, regardless of the OS. Especially if it's a device that you can convince the user they need to install additional software in order to get full use of the device.
i suppose this article is for people that ARENT tech savvy..
Honis 07/09/2010 5:48 PM Hide -1+
This is more a warning to companies. It's a proof of concept that someone can take the mass produced generic keyboards from Dell/HP/etc. embed a custom circuit and gain access to any PC where they can swap the keyboards. The next time the user logs in bang! full access to the PC.
too bad this wasn't pointed out to express scripts 2 years ago when some one took their entire user data base, then they wouldn't have to put out a 5 million dollar reward for info leading to an arrest.
thanks toms, but this is old news.
Yeah that was true but at least now they expose it.
That's what happens when you contract everything to Communist China.
I worked on computers for a major utility until a recent layoff. Of the 100's of people I asked only 1 refused to give me their network password (so I reset it to mummy becasue the network admin gave me the network admin password and installed the tools needed to reset passwords). Soon thereafter he was promoted to wireless security admin and I got the shaft. Does anyone have a link where I can get the aforementioned keyboard?
I situation where I can see widespread possibilities of stealing data is the notebook coolers (pads) that have active fans in the underlying heatsink surface. These fans plug into the laptop via USB cables often times. If such a company selling these kinds of notebook coolers were say to be infiltrated by a government and such trojan hardware tech installed, many thousands or tens of thousands could be at risk. A very disastrous situation if say corporations were to recommend using such notebook coolers to preserve notebook like, unbeknown-st to the corporation.
My First Impression:
1)Picture of a scantily clad pole dancer.
2)"Be careful what you stick it into."
3)STD's are real people.
What a minute college kids finally find out about this? Their parents must be crying when they find out where all that money is going to.
It's a matter of simple logic and experience: you should never put just any kinds of sticks in your wholes!
I situation where I can see widespread possibilities of stealing data is the notebook coolers (pads) that have active fans in the underlying heatsink surface. These fans plug into the laptop via USB cables often times. If such a company selling these kinds of notebook coolers were say to be infiltrated by a government and such trojan hardware tech installed, many thousands or tens of thousands could be at risk. A very disastrous situation if say corporations were to recommend using such notebook coolers to preserve notebook like, unbeknown-st to the corporation.
Funny! Wouldn't it be much easier if the government etc... wrongdoers just cooperate with Microsoft to tell them their backdoors to Windows OS?