Spies, Damned Spies and Statistics
The "Best Student Paper" at the 15th USENIX Security Symposium is titled "Keyboards and Covert Channels". In it, we learn of the dangers of "JitterBugs" (no doubt, soon to be JitterBugsTM), devices that could bug your keyboard and send sensitive data to your most nefarious foes - like that guy in the cubicle two pods away that you're sure steals your lunch out of the common refridgerator. Bastard!
Now, while the method of transmitting the data is neat (involving statistical analysis of very specific types of delays sending keystrokes to a computer that is connected to some snooped network), the opening quote of this news article is ridiculous:
Keyboards and other devices plugged into computers could be easily bugged to covertly transmit passwords or other sensitive data, researchers warned today.As Gaurav Shah, the student lead author of the study, says:
"This is spy stuff... Someone would need physical access to your keyboard to place a JitterBug device, but it could be quite easy to hide such a bug in plain sight among cables or even replace a keyboard with a bugged version."Now, maybe we're just too blasé, but if someone has physical access to your keyboard and can sniff all of your network packets, your security is so hosed that the use of a JitterBugTM is the least of your worries.
The JitterBugTM protocol has an extremely low bandwidth, so it really needs to record and forward only a limited number of keystrokes - hopefully passwords and the like. But in order to "prime" the device to filter out all the other crap you're typing, the spy would need to "preprogram a JitterBug with the user name of the target as a trigger on the assumption that the following keystrokes would include the user's password."
Again, if a spy has your user name, access to your computer and hooks into your network... you are, as the geeks would say, pwnd.
And what is the great fear of Shaw's professor, Matthew Blaze?
Blaze worries about a "supply chain attack," in which a large number of JitterBugged keyboards hits the market.Wait - how would a supply chain attack work? Nefarious Chinese manufacturers would mass produce JitterBuggedTM keyboards, get Dell and Apple to bundle them with their computers, send out bands of corporate ninjas to break in to every home and office in America to spy on clueless CEOs and heads of the local PTA to learn their user names (but not their passwords), reprogram the JitterBuggedTM keyboard, attach wires to their networks and wait for their black-hatted network geeks to inform their ChiCom masters to find out the password to their MySpace accounts?
We're not exactly quaking in our boots over that scenario. To top things off, the covert channel being used is so easily defeated (simply introduce some truly random jitter to the network stack) that a simple Microsoft Update (apt-get for you Linux types) could defeat this scheme overnight.
But we have to admit we're a little freaked out over the image of millions of Chinese ninjas peeking over our shoulders as we log into Playboy that we may just have to go back to subscribing to the paper copy. Thank God the US Postal Service has no security problems!