Is your usb keyboard spying on you?

[hazel]

According to an article in this week's New Scientist, someone has found a way to turn usb devices into "hardware trojans". It depends on the fact that the usb protocol trusts devices to report their identity correctly. A legitimate device could therefore be replaced by a compromised one and the computer would never notice, provided that the new device reports the same make and model information.

Of course the installation of such hardware trojans requires physical access to the computer so it is unlikely ever to become a problem on home computers, but it could easily be used for industrial espionage in offices.

[elija]

My keyboard does spy on me - but I have wrapped tin-foil around my fingertips...

On a more serious note, that's probably only a concern on public machines but it will be a lot harder to spot than an intercept key-logger

[GNU-Fan]

Hmm, is this really a security issue introduced by the USB protocol?

Let's say you would use the legacy PS/2 for plugging in your keyboard. Wouldn't it be just as easy to swap it with a "trojan-keyboard"? Maybe even easier.

[D-cat]

Inline hardware keyboard loggers were a known issue in the AT and PS/2 days. At least they were easy to spot if you were looking for them, but if you weren't, you'd never know.

USB does make it a tad more easy to spot from a software end unless the hardware reports the same make and model ID as was mentioned. I'm sure it's not impossible, but it does add just one more layer of difficulty for these kind of hackers.