USB devices offer an old-school way to steal data

Filed under
Security

We've heard a lot recently about data thieves stealing personal data, especially credit card and social security information, through phishing scams and keystroke-logging Trojan horses sent anonymously over the Internet. So it doesn't surprise me that criminal hackers are turning their attention away from the comforts of the Internet and going old school, once again physically infecting target computers by hand. Their method? How about a hardware-based Trojan horse using USB ports?

Plug and root

In a Black Hat talk entitled 'Plug and root: the USB key to the kingdom', researchers Darrin Barrall and David Dewey, both of SPI Dynamics, a security firm, outlined two flaws they found in the way Windows XP drivers handle Universal Serial Bus (USB) devices. The researchers said in July 2005 that both vulnerabilities had been disclosed to Microsoft, but the software giant didn't include patches in its August 2005 security update. The researchers found fault with the way Windows XP drivers handle USB autorun and USB raw sockets.

Full Story.