

Amex sends USB trojan keyboards in ads - billpg
http://catless.ncl.ac.uk/Risks/25.83.html#subj12

======
unwind
Just because the device says it's a keyboard without "looking" like one,
doesn't mean it's suspect. Lots of input devices chose to use the human
interface device (HID) USB class, since it's often simpler and has the (huge)
benefit of not requiring custom drivers.

A barcode scanner, for instance, can be designed so that it just sends the
digits contained in the code when you scan, and thus magically work in
applications that just have regular text entry boxes in their UI.

The Yubikey (<http://www.yubico.com/products/yubikey/>) is another example,
where a security-conscious company have chosen the keyboard HID method of
delivering encryption keys to host computers.

~~~
gdee
>> Just because the device says it's a keyboard without "looking" like one,
doesn't mean it's suspect.

You forgot the part about its fake USB DEV/PROD ID (masquerading as an Apple
keyboard) and the part about trying to send local data to some "masked" URL.

------
jacquesm
"While we now look for incoming malware on the TCP/IP connections, clearly we
need to similarly monitor the other ports as well; you can do just as much
damage (or more) with a insider keyboard attack, given some social
engineering. Is the power line next?"

The power line has already been used, but not in the incoming direction.

It was successfully used many years ago to smuggle information out of a highly
secured place by modulating the power usage of a drive array, this was enough
to allow a sensor coil placed around one of the wires powering the
installation to pick up the bits.

Slow as hell, and probably quite noisy but it did work.

I wished I could dig up a citation for it, it was quite an impressive hack,
and they never did figure out who did it.

~~~
Luc
There was a presentation about these kind of hacks at Defcon:
[https://www.defcon.org/images/defcon-17/dc-17-presentations/...](https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-janansky-
waite-harware_trojans.pdf)

It mentions this idea of modulating power usage, and a few other clever ones,
though I didn't see a reference to it being used in the past.

~~~
jacquesm
The hack I'm referring to was somewhere in the 70's or 80's, I heard about it
in the 80's (86 or so).

I'm sure it's been done plenty of times though, not just recently. The nasty
thing about it is that such a leak can be in place for a long time before it
is discovered.

here is a wikipedia article about it:

<http://en.wikipedia.org/wiki/Power_analysis>

Which states that it was introduced in '98, but I'm quite sure of when I heard
about it because I remember who told me (a systems programmer for a bank that
I worked for in those years).

------
amalcon
This isn't particularly more dangerous than the autorun crap most OSes will
happily do when you put in a CD. I don't know who could have possibly thought
_that_ was a good idea.

~~~
kwantam
Well, it's certainly more cross-platform, and a CD can't pretend to be a
keyboard.

~~~
amalcon
Cross-platform I'll grant, though most of the malicious things you'd do with a
keyboard are not cross-platform.

A CD most certainly can pretend to be a keyboard, though. Autoplay is
arbitrary code execution, and arbitrary code execution can do anything.

------
ciupicri
I don't really understand how an USB device can control the computer.

~~~
billpg
Think about how you control your computer with your keyboard and mouse.

"Hello. I'm a keyboard."

"User pressed Logo + R."

"User typed '<http://example.com/trojan.exe>.

"User hit enter."

~~~
ciupicri
In the mean time I've read the article describing the attack and now I
understand what's going on. Though, thank you for the short explanation.

