USB Coffee-Cup Warmer Could Be Stealing Your Data

Are you sure that the keyboard or mouse you are using today is the one that was attached to your computer yesterday? It might have been swapped for a compromised device that could transmit data to a snooper.

The problem stems from a shortcoming in the way the Universal Serial Bus (USB) works. This allows almost all USB-connected devices, such as mice and printers, to be turned into tools for data theft, says a team that has exploited the flaw.

Welcome to the murky world of the "hardware trojan". Until now, hardware trojans were considered to be modified circuits. For example, if hackers manage to get hold of a microchip when it is still in the factory, they could introduce subtle changes allowing them to crash the device that the chip gets built into (New Scientist, 1 July 2009, p 18).

Computer engineers John Clark, Sylvain Leblanc and Scott Knight at the Royal Military College of Canada in Kingston, Ontario, wondered if a hardware trojan attack could be carried out by other means. They calculated that the easiest way to introduce a hardware trojan might be via a computer's USB ports.

The trio found they could exploit a weakness in USB's plug-and-play functionality. The USB protocol trusts any device being plugged in to report its identity correctly. But find out the make and model of a target user's keyboard, say, swap it with a compromised device that reports the same information - and that doesn't even have to be a keyboard - and the computer won't realise.

The team designed a USB keyboard containing a circuit that successfully stole data from the hard drive and transmitted it in two ways: by flashing an LED, Morse-code style, and by encoding data as a subtle warbling output from the sound card (Future Generation Computer Systems, DOI: 10.1016/j.future.2010.04.008). They could have chosen more efficient methods to transmit the data, such as email, but Leblanc says their main goal was to see if they could steal data without anyone noticing.

"We've shown any USB device could contain a hardware trojan," he says. Security software, if it checks USB devices at all, tends to look only for malware on USB memory sticks.

"This work opens many cans of worms," says Vasilios Katos, a computer scientist at the Democritus University of Thrace in Greece. "A USB device cannot now be trusted - it may have hidden processing capabilities."

He's right, says Leblanc. "You could mount a hardware trojan attack with a USB coffee-cup warmer.