ARE you sure that the keyboard or mouse you are using today is the one that was attached to your computer yesterday? It might have been swapped for a compromised device that could transmit data to a snooper.
The problem stems from a shortcoming in the way the Universal Serial Bus (USB) works. This allows almost all USB-connected devices, such as mice and printers, to be turned into tools for data theft, says a team that has exploited the flaw.
Welcome to the murky world of the 鈥hardware trojan鈥. Until now, hardware trojans were considered to be modified circuits. For example, if hackers manage to get hold of a microchip when it is still in the factory, they could introduce subtle changes allowing them to crash the device that the chip gets built into (快猫短视频, 1 July 2009, p 18).
Advertisement
Computer engineers John Clark, and Scott Knight at the Royal Military College of Canada in Kingston, Ontario, wondered if a hardware trojan attack could be carried out by other means. They calculated that the easiest way to introduce a hardware trojan might be via a computer鈥檚 USB ports.
The trio found they could exploit a weakness in USB鈥檚 plug-and-play functionality. The USB protocol trusts any device being plugged in to report its identity correctly. But find out the make and model of a target user鈥檚 keyboard, say, swap it with a compromised device that reports the same information 鈥 and that doesn鈥檛 even have to be a keyboard 鈥 and the computer won鈥檛 realise.
鈥淪wap a USB keyboard for a device that reports the same model number, and the computer won鈥檛 know鈥
The team designed a USB keyboard containing a circuit that successfully stole data from the hard drive and transmitted it in two ways: by flashing an LED, Morse-code style, and by encoding data as a subtle warbling output from the sound card (Future Generation Computer Systems, ). They could have chosen more efficient methods to transmit the data, such as email, but Leblanc says their main goal was to see if they could steal data without anyone noticing.
鈥淲e鈥檝e shown any USB device could contain a hardware trojan,鈥 he says. Security software, if it checks USB devices at all, tends to look only for malware on USB memory sticks.
鈥淭his work opens many cans of worms,鈥 says Vasilios Katos, a computer scientist at the Democritus University of Thrace in Greece. 鈥淎 USB device cannot now be trusted 鈥 it may have hidden processing capabilities.鈥
He鈥檚 right, says Leblanc. 鈥淵ou could mount a hardware trojan attack with a USB coffee-cup warmer.鈥