JitterBugs could turn your keyboard against you

August 7, 2006 Computer keyboard

Researchers from the University of Pennsylvania School of Engineering and Applied Science warn against an entirely new threat to computer security: peripheral devices – such as keyboards, mice or microphones – which could be physically bugged in an attempt to steal data. Penn graduate student Gaurav Shah has identified a class of devices that could covertly transmit data across an existing network connection without the user's knowledge.

They are called JitterBugs, named by Shah's advisor, Penn Associate Professor Matthew Blaze, for both the way they transmit stolen data in "jittery" chunks by adding nearly imperceptible processing delays after a keystroke and for the "jitters" such a bug could inspire in anyone with secure data to safeguard.

Shah presented his findings Aug. 3 at the USENIX Security Conference in Vancouver, B.C., where it was designated the "Best Student Paper" by conference organizers. As proof of the concept, Shah and his colleagues built a functional keyboard JitterBug with little difficulty.

"This is spy stuff. Someone would need physical access to your keyboard to place a JitterBug device, but it could be quite easy to hide such a bug in plain sight among cables or even replace a keyboard with a bugged version," said Shah, a graduate student in Penn's Department of Computers and Information Science. "Although we do not have evidence that anyone has actually been using JitterBugs, our message is that if we were able to build one, so could other, less scrupulous people."

JitterBug devices are conceptually similar to keystroke loggers, such as the one famously used by the FBI to gather evidence against bookmaker Nicodemo Scarfo Jr. Unlike keystroke loggers, which would have to be physically installed into a subject's computer and then retrieved, a keyboard JitterBug only needs to be installed. The device itself sends the collected information through any interactive software application where there is a correlation between keyboard activity and network activity, such as instant messaging, SSH or remote desktop applications. The bug leaks the stolen data through short, virtually unnoticeable delays added every time the user presses a key.

Anytime the user surfs the web, sends an e-mail or instant messages someone, an implanted JitterBug could be timed to open a covert jitter channel to send stolen data. According to Shah, a JitterBug could not log and transmit every touch of the key due to limited storage space on the device, but it could be primed to record a keystroke with a particular trigger.

"For example, one could pre-program a JitterBug with the user name of the target as a trigger on the assumption that the following keystrokes would include the user's password," Shah said. "Triggers might also be more generic, perhaps programmed to detect certain typing patterns that indicate some sort of important information might follow."

JitterBugs are potentially worrisome to governments, universities or corporations with information meant to be kept confidential. One particular scenario is what Blaze refers to as a "Supply Chain Attack," in which the manufacture of computer peripherals could be compromised. Such an attack could, for example, result in a large number of such JitterBugged keyboards in the market. An attacker would only then need to wait until a target of interest acquires a bugged keyboard.

According to Shah, the channel through which the JitterBug transmits data is also the point where it could be most easily detected and countered.

While his presentation only discussed simple countermeasures to JitterBugs, Shah's initial results indicate that the use of cryptographic techniques to hide the use of encoded jitter channels might be a promising approach.

"We normally do not think of our keyboard and input devices as being something that needs be secured; however, our research shows that if people really wanted to secure a system, they would also need to make sure that these devices can be trusted," Shah said. "Unless they are particularly paranoid, however, the average person does not need to worry about spies breaking into their homes and installing JitterBugs."

Source: University of Pennsylvania


print this article email this article download pdf blog this article bookmark this article     Stumble it Digg this share on Facebook retweet share on Reddit add to delicious
Rate this story - 2.5 /5 (50 votes)


August 7, 2006 all stories

Comments: 0

2.5 /5 (50 votes)
  • Stumble this up

  • Digg this

  • share this

  • hide

  • Related Stories

  • New Test May Predict Heart Disease Events and the Effect of Weight Loss on Insulin Resistance
    created Nov 17, 2009 | popularity not rated yet | comments 0
  • Common Gene Mutation Linked to Statin Side Effects
    created Oct 13, 2009 | popularity not rated yet | comments 0
  • India's Infosys posts 7.5 pct jump in quarterly profit
    created Oct 09, 2009 | popularity not rated yet | comments 0
  • The making of the male brain (estrogen required)
    created Oct 01, 2009 | popularity not rated yet | comments 0
  • NIST Calculations May Improve Temperature Measures for Microfluidics
    created Sep 08, 2009 | popularity not rated yet | comments 0



  • hide

  • Relevant PhysicsForums posts

  • Laser plasma emission
    created 3 hours ago
  • Achromat lens - magnifying LCD
    created Nov 25, 2009
  • Control System
    created Nov 24, 2009
  • Base Isolation Systems in Skyscrapers?
    created Nov 23, 2009
  • More from Physics Forums - General Engineering

Other News

Building real security with virtual worlds

Technology / Computer Sciences

created 7 hours ago | popularity 3.7 / 5 (3) | comments 0

(PhysOrg.com) -- Advances in computerized modeling and prediction of group behavior, together with improvements in video game graphics, are making possible virtual worlds in which defense analysts can explore and predict ...


McKinnon, accused of hacking into US military and NASA computers, faces extradition to the United States

UFO-obsessed Briton loses bid to block US extradition

Technology / Other

created 3 hours ago | popularity 4 / 5 (2) | comments 0

A Briton accused of hacking into US military and NASA computers faces extradition to the United States after the British government Thursday rejected last-ditch requests to block the move.


Roku adds more 'channels' of video and other digital content

Technology / Telecom

created 7 hours ago | popularity not rated yet | comments 0

Owners of Roku's digital video player will soon have a bunch more channels to choose from.


Sony optimistic on 3-D TVs, in-house display (AP)

Sony optimistic on 3-D TVs, in-house display

Technology / Hi Tech

created 14 hours ago | popularity not rated yet | comments 0

(AP) -- A third to a half of the Sony Corp. TV sets sold annually will be packed with 3-D features by the year ending March 2013, a senior executive said Thursday.


A worman works on a computer

Half of Euro online travel purchases legally unsafe: EU

Technology / Internet

created 5 hours ago | popularity not rated yet | comments 0

More than half of all people who buy flights, hotel rooms and hire cars online risk being left without compensation if companies fail under outdated law, the EU said Thursday.




PhysOrg Account
advanced search
  • follow with twitter
  • follow on facebook
  • read with kindle
  • customize RSS
  • physorg mobile
  • newsletter