Sign in with
Sign up | Sign in

Any USB Peripheral is a Potential Security Threat

By - Source: Tom's Hardware US | B 27 comments

Be careful what you stick it into.

The USB ports on a computer present a security risk. Not only are storage devices able to plug in and interface with the hardware, but also coffee cup warmers, fans, and even mini-vacuums.

A team of computer engineers from Royal Military College of Canada in Kingston, Ontario exploited a weakness in the USB plug-and-play functionality. What the team did was create a fake USB device that reported itself as something that computer already recognized.

For example, if the computer already paired itself with a USB camera, a hacker could spoof the same identity on another device.

As a proof of concept, the team designed a USB keyboard that contained a circuit that stole data from the hard drive and transmitted it by flashing an LED in a morse code-like fashion, as well as through sounds output by the sound card. While such methods are hugely inefficient and likely ineffective, it was just a proof of concept of the vulnerability.

Even though virus scanning software may check USB storage for malware, secretly planted trojans inside USB peripherals will likely be missed.

"We've shown any USB device could contain a hardware trojan," said Sylvain Leblanc, one of the engineers. "You could mount a hardware trojan attack with a USB coffee-cup warmer."

(source: New Scientist.)

Display 27 Comments.
This thread is closed for comments
Top Comments
  • 27 Hide
    cmcghee358 , July 9, 2010 11:40 AM
    I guess my computer can get herpes from the USB stripper pole now? Anyone got a USB condom?
  • 11 Hide
    azconnie , July 9, 2010 12:46 PM
    cmcghee358I guess my computer can get herpes from the USB stripper pole now? Anyone got a USB condom?

    Dose this count?

    http://www.tomsguide.com/us/Ben-Marsh-Gaming-Mario-Tetris-sex,news-7394.html
Other Comments
  • 27 Hide
    cmcghee358 , July 9, 2010 11:40 AM
    I guess my computer can get herpes from the USB stripper pole now? Anyone got a USB condom?
  • -5 Hide
    icemunk , July 9, 2010 11:40 AM
    Stupid.
  • 5 Hide
    Anonymous , July 9, 2010 12:28 PM
    Never saw the point of USB coffee cup Warmers, my EX-Boss had one though, placed in front of his keyboard, missed one day and ended up drowning his KB!
  • 11 Hide
    azconnie , July 9, 2010 12:46 PM
    cmcghee358I guess my computer can get herpes from the USB stripper pole now? Anyone got a USB condom?

    Dose this count?

    http://www.tomsguide.com/us/Ben-Marsh-Gaming-Mario-Tetris-sex,news-7394.html
  • 4 Hide
    misry , July 9, 2010 12:48 PM
    Had a client once who actually asked about a "remote" control USB vibrator. Would have been something to brag about if she had looked like almost anyone other than the Granny in Hoodwinked. As it was she was a major reason I got out of retail.
  • 1 Hide
    d0gr0ck , July 9, 2010 1:04 PM
    In other news from the Department of Obvious: There's Porn on the Internet!
  • 1 Hide
    LORD_ORION , July 9, 2010 1:40 PM
    You're missing the point. Mafia types have all sorts of knock offs that they sell. It wouldn't be a strech for them to sell a fake MS Basic Opical mouse with a hardware trojan embedded. You would never know your system is comprimisd.
  • 1 Hide
    insider3 , July 9, 2010 2:07 PM
    Great, next thing you know, keyboards come with firewalls and mice have built in anti-virus protection.
  • 6 Hide
    Marco925 , July 9, 2010 2:27 PM
    I can only imagine what the USB humping dog will bring to my computer O_O
  • 1 Hide
    requiemsallure , July 9, 2010 3:25 PM
    why not just keep your computer away from people who like to do things like that? physical security over your things would fix this...
  • -2 Hide
    dark_lord69 , July 9, 2010 3:26 PM
    Lame...
  • -1 Hide
    AMDnoob , July 9, 2010 3:26 PM
    So... should I have every USB port on my computer padlocked?
  • 0 Hide
    Honis , July 9, 2010 3:48 PM
    This is more a warning to companies. It's a proof of concept that someone can take the mass produced generic keyboards from Dell/HP/etc. embed a custom circuit and gain access to any PC where they can swap the keyboards. The next time the user logs in bang! full access to the PC.
  • 1 Hide
    the_krasno , July 9, 2010 3:51 PM
    AMDnoobSo... should I have every USB port on my computer padlocked?


    No, it means that you should be wary when using a thumb drive from an unknown brand or maker.
  • 0 Hide
    dman3k , July 9, 2010 5:31 PM
    I want that usb pole dancer!
  • 2 Hide
    jhansonxi , July 9, 2010 5:55 PM
    wotan31Everything is a potential security threat when you run a swiss-cheese of an OS, like Windoze.
    I've seen a USB storage device that emulates a keyboard and mouse that was designed to install malware on any system it is plugged into. If the system automatically activates any USB-connected keyboards andthe active user's account can create/edit/execute any program (including .bat, .cmd, .vbs, .sh) then it is vulnerable. On most systems it can take over in about 3 seconds. It can't easily get root on a Linux system but can install keyloggers or exploit known daemon security holes. On Windows it can respond to the security dialogs.
  • -1 Hide
    eklipz330 , July 9, 2010 8:44 PM
    Quote:
    Be careful what you stick it into.


    THAT'S WHAT SHE SAID
  • 1 Hide
    maestintaolius , July 10, 2010 1:14 AM
    jhansonxiI've seen a USB storage device that emulates a keyboard and mouse that was designed to install malware on any system it is plugged into. If the system automatically activates any USB-connected keyboards andthe active user's account can create/edit/execute any program (including .bat, .cmd, .vbs, .sh) then it is vulnerable. On most systems it can take over in about 3 seconds. It can't easily get root on a Linux system but can install keyloggers or exploit known daemon security holes. On Windows it can respond to the security dialogs.

    Exactly, it's not that hard to hack a system if you actually get physical access, regardless of the OS. Especially if it's a device that you can convince the user they need to install additional software in order to get full use of the device.
  • -2 Hide
    chickenhoagie , July 10, 2010 1:16 AM
    i suppose this article is for people that ARENT tech savvy..
Display more comments