研究人员称,一种名为“JitterBugs”的小型设备可以利用网络连接,在互联网上谨慎地发送密码和其他敏感数据。与目前联邦调查局和犯罪分子用来记录密码和其他数据的键盘记录器硬件一样,JitterBugs是一种附加在键盘上并记录用户键入内容的小型设备。当前的键盘记录程序将数据存储到内部内存中,与之不同的是,在读取捕获的数据之前,不必对JitterBugs进行检索。
尽管还没有在“野外”发现这样的装置,研究人员已经开发出了一个工作原型,并且他们假设类似的想法可能已经被用于未被注意的攻击。在一篇题为键盘和隐蔽通道宾夕法尼亚大学(University of Pennsylvania)的研究生解释说,该设备可以通过在按键被按下和键盘告知电脑按键已被按下之间引入额外的延迟,将数据编码为按键。在诸如telnet和remote desktop等应用程序中,每当用户按下一个键时,就会发送一个数据包。当程序运行时,通过引起键盘输入的“抖动”,“抖动”可以稍微延迟通过网络发送的数据。一定数量的延迟可能表示每个与键盘连接的数据包中有一个1或一个0,允许攻击者在不修改软件或启动任何新连接的情况下,将机密信息发送到其他无害的数据中。虽然每个包1位的空间不是很大,但是像telnet这样的应用程序可以发送足够的包来传输密码或其他小的、重要的数据。为了拦截这些数据,间谍需要使用包嗅探器来拦截来自目标计算机的连接。这将要求攻击者能够访问受害者和受害者目的地之间的某个网络——这不是一个微不足道的目标,但可能比一开始就连接JitterBug更容易。即使连接是加密的,在延迟中编码的数据可能对攻击者可见。虽然额外的延迟可能会破坏由JitterBug引入的谨慎模式,但是设备对这个问题有一定的容错性。研究人员说,在测试中,JitterBug能够相当可靠地将宾夕法尼亚大学的数据传输到新加坡国立大学。 Researchers believe that such devices could pose a security threat not only because they are difficult to detect and work across a wide variety of software and hardware but also because they could be inconspicuously deployed on a large scale. In what the paper's authors term a "supply chain attack," manufacturers would build a JitterBug into their keyboards. Such a vulnerability would be extremely difficult to detect - neither the keyboard nor the victim's computer would appear to be doing anything unusual - but anyone who knew of the devices could decode the data they sent, getting backdoor access to thousands of computers. This threat, however far-fetched, seems particularly relevant in light of the U.S. government's decision in May to use computers built by Lenovo only for processing unclassified data. The Chinese government owns 28% of Lenovo, information that has sparked fears of espionage. As it turns out, numerous keyboards are also manufactured in China. To be sure, JitterBugs are a purely theoretical threat as far as anyone can tell, and intercepting the data they send is not a trivial matter. Still, they could be much easier to deploy and read than today's keyloggers - and those have been, and probably still are, used for spying. Ryan DeBeasi,rdebeasi@nww.com。