[Cryptography] Data exfiltration from attached peripherals

[Ray Dillinger]

Assume the existence of a dishonest IoT device manufacturer who is going 
all in on the "surveillance economy."  Yeah, I know, trivial assumption. 
We don't have to assume.

They manufacture a smart TV with voice-activated features, putting a 
microphone in the owners' living rooms.

In the usual case, the TV is installed with its own IP address and 
network capabilities, and they can get audio recordings of family 
arguments, private conversations about family finances, and lovemaking 
sessions delivered to their servers automatically. Along with content 
monitoring so they know what programming they're playing or reacting 
to.  Depending on who the owner is, this is likely to be a lucrative 
data stream.

But now consider the case where someone buys the "smart TV," hooks it up 
to an HDMI cable, and uses it for a computer monitor. It doesn't have 
its own IP address.  Conversely, content monitoring (screen grabs) can 
now have devastating privacy implications since they reveal what someone 
is working on, financial spreadsheets, proprietary code, etc etc etc...

Does that TV have any way to exfiltrate that data in the context of what 
network services it can get from a computer configured to treat it as a 
monitor?

Same question for a printer, connected as a USB peripheral and NOT given 
its own IP address.  Are computer OS's these days so eager to put any 
connected printer on whatever network the computer is attached to, that 
the printer actually can request and get the ability to send packets to 
the wide internet even if it's not configured to be a network printer?

How about Mice, Keyboards, and USB/wireless peripherals in general? What 
network privileges can these devices obtain without too much trouble if 
malign supply-chain crooks want to exfiltrate data and can get someone 
to attach them to the computer?

Bear