[Cryptography] Data exfiltration from attached peripherals

Jerry Leichter leichter at lrw.com
Wed Aug 28 17:02:02 EDT 2024 

> ...[N]ow consider the case where someone buys the "smart TV," hooks it up to an HDMI cable, and uses it for a computer monitor. It doesn't have its own IP address.  Conversely, content monitoring (screen grabs) can now have devastating privacy implications since they reveal what someone is working on, financial spreadsheets, proprietary code, etc etc etc...
> 
> Does that TV have any way to exfiltrate that data in the context of what network services it can get from a computer configured to treat it as a monitor?
> 
> Same question for a printer, connected as a USB peripheral and NOT given its own IP address.  Are computer OS's these days so eager to put any connected printer on whatever network the computer is attached to, that the printer actually can request and get the ability to send packets to the wide internet even if it's not configured to be a network printer?
> 
> How about Mice, Keyboards, and USB/wireless peripherals in general? What network privileges can these devices obtain without too much trouble if malign supply-chain crooks want to exfiltrate data and can get someone to attach them to the computer?
It's impossible to answer these questions in any generality - except to say that if someone is really interested in an attack like this, consider that you can buy an Apple Watch that connects directly to the cell network.  Given the tight space and power constraints of a watch ... sticking something like that into pretty much any peripheral would be straightforward - and power would not be a problem.  Sure, the attacker has to maintain a phone line for the device to talk to - but connected cars already do that, so there are probably special deals available for buyers that want bulk service over many lines that are infrequently connected.

Almost as good would be a WiFi chip.  There are widely available public or semi-public WiFi networks in many areas (e.g., many of the cable providers have WiFi networks available to any subscriber) so that would provide an alternative means of connection.

I've never looked closely at HDMI and have no idea if it could be subverted as a mechanism for exporting data.  It would probably depend heavily on the driver at the computer.

Anything using USB is dangerous because USB devices can announce themselves as anything for which there's a USB driver.  You *think* you're connecting a mouse, but it can announce itself as a keyboard and perhaps manage to open a terminal and send commands.  Of course it could do that at hours of the night when it's learned that the mouse sits still for long periods, so you might never notice.  There have been devices reported that do things of this sort.

                                                        -- Jerry

More information about the cryptography mailing list