Peripheral devices such as keyboards, mouses, microphones, etc. could pose a serious problem of vulnerability, of security.

At least, that's what believe researchers at the University of Pennsylvania. Using a device known as a JitterBug, they found that a hacker could physically spy a peripheral device and steal chunks of data by creating an all-but-imperceptible process running after a keystroke.

As a proof of concept, they built a functional JitterBug for keyboard, a real spy stuff. Of course, it's necessary to have, at one moment, a physical access to the target keyboard, just to install the device. But that's quite easy: in the worst case, you exchange the real keyboard by a similar but modified model.

Unlike existing keystroke loggers, you do not need to retrieve it to collect data. Indeed, the device can use any network-related application, as the e-mail or instant messaging to transmit data. Smaller, then with less storage space, but smarter: they can be configured to record only one type of data. For example, a Jitterbug that only works when the user types his name: one can expect that the following keystrokes would include the user's password!

Although there is no evidence that anyone has actually been using JitterBugs, there is no reason nobody never did it. Alarming scenario: a manufacturer of peripheral devices could be compromised, inundating the market with JitterBugged devices.
According to the researchers, a solution: cryptography...



Source: University of Pennsylvania, last monday.