The FBI is warning that stealthy keystroke loggers could disguise themselves as innocent USB drives or phone chargers—while in reality uploading all input typed into a keyboard by the user.
The Feds warned that since portable drives and the like are often modular and programmable, it’s fairly easy for a threat actor to simply swap out a part (an RF chip for a Wi-Fi sniffer, for example) or alter coding in order to make the gadget something capable of stealing data over the air.
"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber-actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords or other sensitive information," FBI officials wrote in the advisory [PDF]. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
According to Lane Thames, security research and software development engineer for cybersecurity firm Tripwire, noted that such issues will become more common as the internet of things (IoT) era gets underway.
“Unfortunately, we don’t always know what a particular device is capable of doing,” he told Infosecurity. “In this regard, physical security will need to evolve. Organizations that work with sensitive information should consider implementing a physical security policy. This policy will need to consider how to both vet and monitor devices that enter proximities where sensitive information is interacted with.”
He added that there are a countless number of ways for miniature computing devices to enter our digital work zones, along with a fast array of techniques these embedded systems can use to exfiltrate data within its sensory proximity.
“Looking for wireless signals is obviously a first choice, but other techniques that make use of other sources, such as thermal and acoustic signals, exist too,” Thames noted. “As this portion of the industry evolves, industry standards for good physical security practices within the world of IoT will likely become common for even the smallest of organizations.”
Photo © Marynchenko Aleksandr