Researchers say any USB peripheral could steal your data, even a coffee-cup warmer
By Sean Hollister 
posted Jul 5th 2010 5:09AM
posted Jul 5th 2010 5:09AM
So you've got a nice secure thumbdrive, but did you ever think to lock its port? Engineers at the Royal Military College of Canada say the plug and play functionality built into most computers automatically trusts whatever's plugged into the USB slot. That doesn't just go for flash drives left out on the street, but all manner of other peripherals as well, as the trio of triumphant researchers demonstrated when they (presumably) infiltrated colleagues' offices with a totally sweet spy keyboard. That particular device flashed an LED or made the mark's sound card warble to covertly transmit stolen data, but such exotic methods are reportedly not required -- so you've yet another reason to cringe when your coworker trots out his Humping Dog.
OMG ...
@littlea
You know technology is getting out of control, when a USB powered vibrator has the potential to steal all your personal data.
.. what?
@uckApple
Wait, my humping dog can give my computer an STD? O.o
@SolidSnake Son... let me teach you a little something about the birds and the USBs...
@littlea
i would choose hot coffee over secure data but that's just me
@uckApple yeah suprising how periphreals can infeat people but not hard to understand if people did the same thing with people at a club
@littlea one other thing dont buy the cup warmer if its from hp, you'll get advertisements every time you lift the cup!
I doubt my keyboard is going to steal my Warcraft password, maybe my usb headset but not my keyboard
Um, dont most of those usb powered devices just use the power rails and not the data rails?
@squirrelnut1416 who knows
@squirrelnut1416
I was always under the impression that a device wouldn't be supplied power until it was 'recognised' by being queried for it's device id... I'm guessing that query would use the data channels.
@Menthos
I think it depends on the device. My charger for my bluetooth does not use the data rails. Once i put the cable in, it sends power. I know this because it is plugged into my monitor which is not plugged into my computer. Its one of those dells with the media bays on it.
@Menthos. The USB spec calls for each port to have a current limiter and monitor that starts out at 100mA and goes up to 500mA after negotiation. Almost nobody does this, often using just a 1A self resetting fuse per port pair which is how most of these gadgets get away without data lines.
@squirrelnut1416: Most devices that just use power don't bother with the data negotiation process; some *really* cheap devices don't even have wire in the cable for the data lines.
I think the article is referring to objects that you would expect would only use the power lines, but instead also have data lines that are covertly spying on your system... IE a Coffee warmer with flash storage inside for storing keystrokes, etc.
Maybe this is why iMacs don't have too many USBs. Apple knew this all along!
@Alex R Seriously, the fuck?
@Exbloder Yeah, it's true, aliens told them.
@Alex R Wow, that is some quality trolling right there.
@Alex R
/sarcasm?
Is it too late to add one of those?
@Alex R I actually read that as sarcasm the whole way and I don't always have a nose for such things.
@Alex R
Yes.
I have that exact hotplate/hub! Scary.... O.o
If you've got physical access to computer, you get physical access to the computer!
$10 off-the-shelf MPU purchased from digi-key can do this, there's no surprise at all...
@num0
Agreed... if a person is logged in and steps away fro 30 seconds, that's all you need to pop a USB key in, have it run a few tid-bits, and pop it back out and walk away with enough info to get you going... Or go to your friend and say "Hey! I got this great mod for TF!!! Grab it off my thumb drive!" and while they're transferring the(a) file, whether legit or not, your stuff runs in the background.
This kind of identity/information theft has been around forever. It's a common and easy exploit that any self respecting hacker knows about... I'm not self respecting or much of a hacker and even I know about it! That's why auto-play is always best set to off if you have any chance of physical compromise.
@Freakie
what?? this is not about autoplay. linux doesn't even have autoplay. and every sane windows user has autoplay turned off.
This is not new news.
In your usb stealing yours infos
You actually need the driver on the other side to send the data. If you've access to everything already (aka install software that is not automatically detected), then you don't really care for the USB right?
Alternatively, even a non-usb keyboard can snoop your keystrokes and send them through other means, like self powered bluetooth (bypassing the computer).
Oh and you can also just boot the computer from CD since you've physical access. Things like that.
In the end it's not all that useful.
@zob You could, however, give someone a flash drive or keyboard, which that person would install themself, thinking it would be safe. You don't need direct access yourself.
Wouldnt it be easier to use a keylogger anyway. But it true, even the humping dog has a 4mb cache.
I put a virus on my ps3 joypad, and now it turns the machine on and plays games, clever little thing, and I cant get it off. I have to keep it at the bottom of the stairs keeping it out of range.
Does anybody here use NSA software?
Kasperey Antivirus monitors the usb ports, connect anything and before its booted, a password must be entered. Secure enough I think. A process monitor never hurts either.
Humm
I feel its important to point out that normally purchased USB coffee cup warmers, glitter balls and mini aquariums etc do not use any other connections than the + and - power connections, and wont show up in the system tray when you first plug them in. But its entirely possible to adapt one so it has a hidden built in data logger and some kind of auto-run pendrive containing some code that self-runs on your system, this code would theoretically 'call home' your keyboard and mouse movements. So somebody will need to have adapted a unit to do that.
You will always see a little popup of a USB device installing on your system, so if u see such a device do that, check the device manager to see what has actually been installed, doesn't hurt to check it anyway as it'll always show up in the Device Manager.
The moral of the story - watch your system tray for devices being installed when plugging these things in, and pay a little attention to people gifting you such devices, or seeing such things just plugged into your PC. And be a little vigilant of the motives of some people around you, but dont be too paranoid as this is likely to be pretty rare.
Researchers say chocolate causes cancer.
Researchers say chocolate is a deterrent for cancer.
Researchers research what researchers are searching for.
Those researchers are slow. Hak5 had sent out working sample (a USB Rubber Ducky) weeks ago.
Is this really surprising anyone. That's why you can disable USB using group policy on domains (although it's not 100% effective). Basically if someone has physical access to a machine you won't stop them.
How about a wireless keyboard running on bluetooth?
I have that fucking coffe warmer!!! (was a present)
I'm skeptical (and the article doesn't provide details) on how they think that they could get the data out via email - it seems like this would require code execution on the computer (rather than using only USB commands as their examples did), and in newer versions of Windows USB devices are no longer trusted by autorun (autorun programs are only executed if the user explicitly selects them from the autorun prompt list).
Absconding with data using only elements of the USB standard, without code execution by the operating system, just seems very impractical for the described usage scenarios (embedding them in humping dogs, for example), since the researchers were not able to provide a method to move data over the network. Really using this exploit would require physical access, and if you have physical access a software keylogger would be a superior option in most cases, and a conventional hardware keylogger in most other cases.
I wish I could read the research, but these cursed scientific journals are still trying to separate me from my money. One day everyone will join JSTOR...
@jcrawfordor It emeulates a usb keyboard.
I own that exact USB coffee warmer, bought it for a dollar from a Radioshack about 2-3 years ago, works great as a hub. Too scared I'll spill ramen on my laptop to use it for the warming function.
This brings up the age old question: Does physical access to the computer count as 'hacking'?