US scientists today warned against a novel threat to computer security: peripheral devices such as keyboards, mice or microphones that have been physically bugged to steal data.
Researchers from the University of Pennsylvania School of Engineering and Applied Science dubbed the dodgy hardware devices JitterBugs. The name reflects the way such peripherals transmit stolen data in 'jittery' chunks as they add nearly imperceptible processing delays after a keystroke. It also refers to the 'jitters' such bugs could inspire in anyone with secure data to safeguard.
As proof of the concept the researchers from Penn's Department of Computers and Information Science, including graduate student Gaurav Shah and associate professor Matthew Blaze, built a functional keyboard JitterBug with "little difficulty".
"This is spy stuff. Someone would need physical access to your keyboard to place a JitterBug device, but it could be quite easy to hide such a bug in plain sight among cables or even replace a keyboard with a bugged version," said Shah.
"Although we do not have evidence that anyone has actually been using JitterBugs, our message is that if we were able to build one, so could other, less scrupulous people."
JitterBug devices are conceptually similar to keystroke loggers, such as the one famously used by the FBI to gather evidence against bookmaker Nicodemo Scarfo Jr. Unlike keystroke loggers, which would have to be physically installed into a subject's computer and then retrieved, a keyboard JitterBug only needs to be installed.
The device itself sends the collected information through any interactive software application where there is a correlation between keyboard activity and network activity, such as instant messaging, SSH or remote desktop applications. The bug leaks the stolen data through short, virtually unnoticeable delays added every time the user presses a key.
One particular scenario is what Blaze refers to as a "Supply Chain Attack", in which the manufacture of computer peripherals could be compromised. Such an attack could, for example, result in a large number of such JitterBugged keyboards in the market. An attacker would only then need to wait until a target of interest acquires a bugged keyboard.
According to Shah, the channel through which the JitterBug transmits data is also the point where it could be most easily detected and countered.
While his presentation only discussed simple countermeasures to JitterBugs, Shah's initial results indicate that the use of cryptographic techniques to hide the use of encoded jitter channels might be a promising approach.
"We normally do not think of our keyboard and input devices as being something that needs to be secured; however, our research shows that if people really wanted to secure a system, they would also need to make sure that these devices can be trusted," Shah said.
"Unless they are particularly paranoid, however, the average person does not need to worry about spies breaking into their homes and installing JitterBugs."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago