Your Accessories Just Aren’t Safe Anymore

Better switch back to your old, yellowed PS/2 mouse. A trio of researchers have shown that USB devices represent in and of themselves a potential security risk. Your data will never be safe again!

Well, this is true and it isn’t. Would you notice if, say, your keyboard was switched out for another one? Potential data thieves would have a hard time replicating the filth patterns on my keyboard, that’s for sure. But say they did, successfully.

John Clark, Sylvian Leblanc and Scott Knight of the Royal Military College in Kingston, Ontario, Canada have discovered that there’s a rather simple exploit in the way a computer will automatically trust anything plugged into a USB port to report what it is – if it says it’s a keyboard, it must be a keyboard, obviously. But what if it’s not?

Clark, Leblanc and Knight took the liberty of finding out, creating a keyboard with a hardware trojan attached, and plugging it into a USB port. The device was programmed to steal data from the hard drive and transmit it via morse code on the devices LEDs, as well as a warbling sound made from the computer’s internal speaker. Y’know, for all those hackers who like to physically stand next to their victims. How useful. The team also confirmed they could have used other methods, such as email. That they didn’t may be ridiculous, but is not the point: “We’ve shown any USB device could contain a hardware trojan,” says Leblanc of the finding. “You could mount a hardware trojan attack with a USB coffee-cup warmer.” Touchée, Sylvian.

“This work opens many cans of worms,” said Vasilios Katos, a computer scientist at the Democritus University of Thrace. “A USB device cannot now be trusted – it may have hidden processing capabilities.”

True say. Better start keeping tabs on our USB devices, guys – my roommate could be trying to take me down as we speak.