Most Popular
| Top Stories | Commented | Featured |
Revised BitTorrent protocol removes the need for ISP throttling
Firefox 3.6 Beta 1 available for download
Weekend tech reading: DirectX 11 comes to Windows Vista
Maingear unveils enthusiast-oriented SHIFT desktop PC
Windows 7's share climbs some 40% during launch week
Apple to disable Atom support with OS X 10.6.2?
TS Community
| User Gallery | Recent Discussion |
 my pc with side on by dustin_ds3000 |  Asus Vento Case by AmDuSeR |
 Windows 2003 Server by Phantasm66 |  My Christmas Desktop by ragebflame |
TechSpot RSSInformation Technology
USB devices can become hardware-based Trojans
Two newly discovered bugs in the Microsoft Windows XP Universal Serial Bus [USB] driver mean that a simple USB storage device can be turned into what is essentially a hardware-based Trojan. SPI Dynamics security engineers David Dewey and Darrin Barrall have revealed a hack where full data compromise can be achieved in less than 10 seconds of physical access.
Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."
This type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices; however it is possible to make a USB device look non-removable via in-system programming. So be careful what you plug into that port!
Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."
This type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices; however it is possible to make a USB device look non-removable via in-system programming. So be careful what you plug into that port!
Related Stories
