Just like water leaks from pipes, so do electric signals from USB ports, indirectly exposing sensitive data to a knowledgeable attacker. The phenomenon is known as "channel-to-channel crosstalk leakage" and affects USB-based devices plugged into adjacent ports.
"Electricity flows like water along pipes – and it can leak out," said project leader Dr. Yuval Yarom. "In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub." This scenario implies the presence of a malicious USB device inserted in a nearby port that the attacker can use to monitor data flows in adjacent ports.Read more
Hacking air-gapped machines — computers that are not connected to the internet, so theoretically less vulnerable — is always pretty interesting.
On Wednesday, Wikileaks published a series of alleged CIA documents that supposedly show how the intelligence agency's malware was designed to infect these sort of targets. Naturally, the documents indicate how the CIA has continued to develop its own hacking tools, allegedly targeting devices from smart TVs to internet routers. According to one of the documents, "Brutal Kangaroo is a tool suite for targeting closed networks by air gap jumping using thumbdrives."Read more
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.
The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks. Until now, all smart TV exploits relied on attackers having physical access to the device, in order to plug in an USB that executes malicious code.Read more
To avoid the draconian locks that John Deere puts on the tractors they buy, farmers throughout America's heartland have started hacking their equipment with firmware that's cracked in Eastern Europe and traded on invite-only, paid online forums.
Tractor hacking is growing increasingly popular because John Deere and other manufacturers have made it impossible to perform "unauthorized" repair on farm equipment, which farmers see as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time. Most all the new equipment requires a download to fix.Read more
USB sticks containing harmful malware have been left in Australian letterboxes, police in Victoria have warned. Residents of Pakenham, a suburb of Melbourne, have reportedly found the unmarked sticks in the boxes.
Plugging them into a computer triggers fraudulent media-streaming service offers, as well as other malware, the force said in a statement. The devices are "extremely harmful" and should not be used, police say. It is not uncommon for USB sticks to be used to carry and transmit destructive malware and viruses to computers. Berlin-based researchers Karsten Nohl and Jakob Lell said a device that appeared to be completely empty could still contain a virus.Read more
Snatching the login credentials of a locked computer just got easier and faster, thanks to a technique that requires only $50 worth of hardware and takes less than 30 seconds to carry out.
Rob Fuller, a principal security engineer at R5 Industries, said the hack works reliably on Windows devices and has also succeeded on OS X, although he's working with others to determine if it's just his setup that's vulnerable. The hack works by plugging a flash-sized minicomputer into an unattended computer that's logged in but currently locked. In about 20 seconds, the USB device will obtain the user name and password hash used to log into the computer.Read more
In 2013, a document leaked by former NSA contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks.
Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly "air-gapped" PCs. The USBee — so named because it behaves like a bee — is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth.Read more
Here is a scenario for you: You are walking around, catching Pokémon, getting fresh air, people-watching, taking Fido out to do his business, when something catches your eye. It’s a USB stick, and it’s just sitting there in the middle of the sidewalk.
Jackpot! Christmas morning! So, now the question is, what is on the device? Spring Break photos? Evil plans to rule the world? Some college kid’s homework? You can’t know unless… Stop right there. If you found yourself in this scenario, what would you do? Would you plug in the drive or just toss it in the nearest trash can? If you would plug it in, you are not alone — although you really should not do that.Read more
Chances are that each of us has found ourselves in a situation where our phone is dying and we had no charger on hand, but at the same time we desperately need to stay connected — to answer an important call, receive a text message or email, whatever.
It’s perfectly normal to look for any source of precious electricity on such occasions — any USB port would do. But is it safe? No. In fact, it can be dangerous: Over a USB connection someone can steal your files, infect your smartphone with something nasty — or even brick it. Before we get to the problem of thieves, we must point out that not all electricity is equally good for your phone.Read more
FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.
The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers.Read more