[Cryptography] Data exfiltration from attached peripherals

Ray Dillinger bear at sonic.net
Thu Aug 29 23:56:27 EDT 2024 

On 8/28/24 14:02, Jerry Leichter wrote:
> It's impossible to answer these questions in any generality - except to say that if someone is really interested in an attack like this, consider that you can buy an Apple Watch that connects directly to the cell network.  Given the tight space and power constraints of a watch ... sticking something like that into pretty much any peripheral would be straightforward - and power would not be a problem.  Sure, the attacker has to maintain a phone line for the device to talk to - but connected cars already do that, so there are probably special deals available for buyers that want bulk service over many lines that are infrequently connected.

Mmmm?  I was under the impression that the apple watch connected only to 
a required iPhone, which in turn connected to the cell network.  Perhaps 
I was mixing it up with some other smart watch or an earlier version.

Still, the point stands.  Wifi chips are dead cheap, the radio and SIM 
emulation are available and not all that expensive, and if someone wants 
to harvest that data regardless of the user's consent, it does stand to 
reason that, since it's cheap, they will do it in a way that doesn't 
require (detectable) shenaniganery to get IP access on the user's network.

It requires an extra-special asshole step to deliberately bypass the 
user's network, but that's really not that hard and there are compelling 
commercial reasons why someone would decide to do that.

Someone else has told me that cheap TVs sold nowadays are refusing to 
get past the power-up screen if nobody gives them IP access, so...  
that's looking like a defective product to return in hopes that the 
practice doesn't catch on.  But!  It's also looking like some 
manufacturers really and truly are all-in on harvesting data regardless 
of customer consent, and in that case deliberately (and silently) 
bypassing the user's network saves them the expense of handling product 
returns.

> Anything using USB is dangerous because USB devices can announce themselves as anything for which there's a USB driver.  You *think* you're connecting a mouse, but it can announce itself as a keyboard and perhaps manage to open a terminal and send commands.  Of course it could do that at hours of the night when it's learned that the mouse sits still for long periods, so you might never notice.  There have been devices reported that do things of this sort.

I am already familiar with that aspect of USB.  I worked for years at a 
place where all USB ports in the office were therefore filled with epoxy 
by the IT department before the machines were deployed.

More recently I've worked on a custom keyboard containing a built-in 
internal USB hub with a thumb drive and a numpad function mode that 
sends mouse messages. With a little work I could swap the thumb drive 
for a bootable SSD.  But that's not the case of a dishonest manufacturer 
designing a device for exfiltration - that's me designing something for 
my own use and convenience, with no marketing plan whatsoever.

Bear

More information about the cryptography mailing list