TechSpot en EspaņolMost Popular
| Top Stories | Just in | Featured |
11 awesome applications you've never heard of featured
Microsoft to offer three-user Windows 7 Family Pack?
USB 3.0-equipped PCs due before end of the year
Apple issues advice on iPhone 3GS overheating
Firefox 3.5 breaks 5 million downloads in 24 hours
Fallout 3 gets 50% price cut on Steam this weekend
TS Community
| User Gallery | Recent Discussion |
 ZzZzZ by gamergirl |  schmelzers desktop01 by schmelzers |
 Mars Colony by (=DoM=) |  Gotta Love Bots by (=DoM=) |
TechSpot RSSInformation Technology
USB devices can become hardware-based Trojans
Two newly discovered bugs in the Microsoft Windows XP Universal Serial Bus [USB] driver mean that a simple USB storage device can be turned into what is essentially a hardware-based Trojan. SPI Dynamics security engineers David Dewey and Darrin Barrall have revealed a hack where full data compromise can be achieved in less than 10 seconds of physical access.
Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."
This type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices; however it is possible to make a USB device look non-removable via in-system programming. So be careful what you plug into that port!
Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."
This type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices; however it is possible to make a USB device look non-removable via in-system programming. So be careful what you plug into that port!
Related Stories
