back to article Infosec eggheads rig USB desk lamp to leak passwords via Bluetooth

Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned. For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals …

  1. Slx

    and this is why I'm wary of public USB chargers!

    I never really understand the attraction of USB charging points on wall sockets. Just use your own mains adaptor that has no data capabilities.

    1. David 132 Silver badge

      Re: and this is why I'm wary of public USB chargers!

      And of course if you are going to use a USB charging point in an unknown, unverified environment - use one of these delightfully-named devices or equivalent!

      https://www.amazon.com/Syncstop-The-Original-USB-Condom/dp/B01N0HCJOW

      1. Anonymous Coward
        Anonymous Coward

        Re: and this is why I'm wary of public USB chargers!

        A better solution would be for iOS and Android to implement a "charging mode" where you are required to take some additional action when plugging into a USB port for the phone to allow it to do anything but charge. Like having to hit 'ok' to a prompt to permit a data connection, hold down a button when connecting the cable, that sort of thing. Otherwise, the data pins should be electrically disconnected in the phone to prevent any sort of mischief.

        Unfortunately this attack is so rare (maybe has never happened except when researchers did it?) it isn't worth their while to address, I guess.

        1. Jordan Davenport

          Re: and this is why I'm wary of public USB chargers!

          "A better solution would be for iOS and Android to implement a "charging mode" where you are required to take some additional action when plugging into a USB port for the phone to allow it to do anything but charge."

          Though Android will still expose the device's existence to the host, it does have a charging mode that doesn't allow any debugging commands or media transfers to occur.

        2. Anonymous Coward
          Anonymous Coward

          Re: and this is why I'm wary of public USB chargers!

          A better solution would be for iOS and Android to implement a "charging mode" where you are required to take some additional action when plugging into a USB port for the phone to allow it to do anything but charge.

          Isn't this already the default behaviour on Android 7?

          At least my Moto Z won't initiate a data connexion unless I explicitly choose something other than "charge through USB" from the notification panel.

          1. Anonymous Coward
            Anonymous Coward

            Re: and this is why I'm wary of public USB chargers!

            Maybe this is what iOS does when you get the dialog with the choice to 'Trust' the computer. Though I'm not sure I wouldn't trust the writers of the USB spec not to screw up so that even if Android 7 and iOS are being careful that they don't potentially get screwed by the hardware itself in some manner. USB specs were designed with convenience in mind, not security.

        3. Montreal Sean

          Re: and this is why I'm wary of public USB chargers!

          A charge only mode has existed on BlackBerry devices for years.

          You were presented with an option menu each time you connected to a new usb host.

          Android started doing the same with version 5 I think?

      2. the_rob

        Re: and this is why I'm wary of public USB chargers!

        I'd like to point out that there is another way to use untrusted USB devices/hosts - the USG hardware firewall:

        https://github.com/robertfisk/usg/wiki

        It supports mass storage, HID mice & keyboards. Off-the-shelf or build-your-own!

        1. Infernoz Bronze badge
          Meh

          Re: and this is why I'm wary of public USB chargers!

          @the_rob

          It's a hand made hobby project in New Zealand, and only supports _very dated_ USB 1.0, so pretty much useless for all by keyboards and some mice, _not_ storage, which is USB 2.0 and often USB 3.0 now, so not very useful.

          When he can mass sell a toughened USB 3.0 version, at a sensible price, say via Kickstarter, maybe then I'll be interested.

          1. Roland6 Silver badge

            Re: and this is why I'm wary of public USB chargers!

            and only supports _very dated_ USB 1.0

            Which is a very pertinent point!

            What is interesting is that the researchers in the article don't mention which version of USB they have been using - suspect it is USB 1.0...

    2. Montreal Sean

      Re: and this is why I'm wary of public USB chargers!

      I have a charge only usb cable that I take with me, it is lacking the data lines.

      Came with a cheap rechargeable flashlight.

  2. razorfishsl

    Nothing new, just a simple USB shill with re-direct to blue tooth.

    Had such hacks ar ound the 2008's , also had attack models for the new version of firewire and a range of malware firmwares for the oxford chipset with Java loaders. just sad firewire did not take off properly.

    later a range of USB 3.1 with intelligent peripheral hacks waiting in the wings.

    It is not what is published that is interesting.......this is mostly just "jump on the bandwagon" stuff from research not published.

    1. Adam 1

      Wait what!? You want FireWire rather than USB because you think it's more secure?

      Er, no. It gets a DMA side channel that can bypass pretty much any OS level control. The bypassing the OS bit is why it is (or at least was) so much faster than other standards of its day.

      https://github.com/carmaa/inception

  3. Anonymous Coward
    FAIL

    "... the whole supply chain should be validated to ensure that the devices are secure."

    And if the NSA's TAO have you in their sights, that means little to nothing short of armed guards, that you can trust, all along the way. Just ask Cisco.

  4. John Smith 19 Gold badge
    Unhappy

    "a novelty USB desk lamp"

    The novelty would be it would a secure?

    Sounds like one of those "If someone has the resources to gain physical access...." which is true of any attack.

    If you can get into someone's place and swap their "whatever" for a copy with rogue hardware inside it's pretty much game over.

  5. mark l 2 Silver badge

    My cheap 100 quid phone has Android 6 and that has the option for Charge only when you plug in to USB. I don't think this option has been implemented for security reasons more so it can charge the batter faster but if it disables debugging and file transfer its better than nothing.

  6. Stuart Halliday

    Eh?

    Don't see how. The data lines of nearby USB ports will not be switching logic levels.

    Sure, if I put a A/D converter in the USB device I could easily record minor changes in the data lines.

    But then if I'm doing that, it's pretty safe to bet the PC is unguarded.

    Then a couple of capacitors across the data lines will solve that problem.

    In any case, hardly real-world scenario...

    1. Dan 55 Silver badge

      Re: Eh?

      They won't be switching logic levels but the voltage variation is enough to tell what's happening next door.

  7. Anonymous Coward
    Big Brother

    Uh-oh!

    It's obviously a trivial exploit to transmit the entire contents of the hard drive by modulating the brightness of the novelty lamp at up to 32 baud.

    1. Adam 1

      Re: Uh-oh!

      Pfft. Easily defeated with a piece of cardboard and sticky tape. Real l337 haxors would ramp the CPU load up and down to encode the HDD data using fan speed and the mic on a nearby machine as a pick-up.

  8. Starace

    Infosec eggheads?

    I'd be mildly impressed if a 12 year old had come out with this.

    An actual adult showing that you can access data using a malicious USB device or by monitoring leakage or power draw is hardly doing something new or original.

    Or in other words like so many of these researchers demoing 'new' side channel attacks their work is worthless.

  9. David Roberts

    Bus?

    Never looked at the spec but assumed up to now that as a Bus the data was visible to all devices on the Bus and used addressing.

    As others have said, if you have a rogue device plugged into your PC then sniffing adjacent USB ports seems a trivial waste of time compared to other options.

  10. Pascal Monett Silver badge

    "It's not a particularly practical or terrifying scenario"

    No it isn't, because we're back to the physical access = game over scenario.

    I thought I was going to read something exciting about how a lamp had been modified to accept a USB key that could monitor signals from a laptop next to it.

    THAT would have been frighteningly exciting, even if we're almost at physical access again.

    In short, I feel let down by this article. Much less than I had hoped for.

    1. Anonymous Coward
      Anonymous Coward

      Re: rate this article notverymany/10

      " I feel let down by this article. "

      You could probably say that about 90%+ of the published "security research" stuff. It gets the 'researcher's" name in the public domain, even if the content if laughably impractical.If that's why the press release existed, it's nearly worked.

      Then there's the equally daft, but for different reasons, stuff like Siemens kit (for automation use, and apparently also for medical use?) shipping with default passwords and the like. That kind of thing stopped being acceptable even before Windows NT hit the market as a Microsoft product (which itself must be due for a 25th anniversary soon). That deserves to get covered properly, here and elsewhere, but it's not really going to advance anyone's visibility as a 'security researcher' is it?

      In the last 12 months there were a few articles about genuine mass market vulnerabilities and exploits in webcams, many of which are made by the same handful of companies and differ only in the badges with which they sell. A couple of companies had similar products which weren't vulnerable. I'd rather read about them, and how and why they made a better of it, than security-researcher-press-release-derived stuff.

      Meanwhile behind the curtain, what's the state of play with Intel's reported challenges with AMT security ? And the vendors who have sold kit with the associated vulnerabilities?

      https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon