Our computer’s hardware – the circuits, chips, disks, memory, cables, and connectors – are all things we rarely think about when it comes to considering our privacy.
We would be wise to.
While not as easily compromised, since it requires some form of physical access, hackers know we take our hardware for granted, and when it comes to gaining intrusive access to our information, hardware represents a way in.
A keylogger is typically a form of malware that resides on your computer, intercepting and recording all your keystrokes and sending them off to some malicious third party. Type in your username and password, and the keylogger intercepts and records it.
Keyloggers can also be present in hardware. A device inserted between your keyboard and computer can do exactly the same thing: record all keystrokes for transmission or later collection by that same malicious party.
Hardware keyloggers are less common because they require physical access to the machine on which they’re installed. Once installed, however, they’re nearly impossible for the average computer user to detect. It doesn’t matter what anti-malware tools are running, what operating system is installed, clean-installed, or booted from, the keylogger remains in place, recording your data.
There are two simple guidelines:
- Never use a public computer for anything in any way sensitive. Hardware keyloggers are most commonly found on public computers.
- Remember, “If it’s not physically secure, it’s not secure”. If your computer is in a public or highly trafficked place, it’s possible someone could add a hardware keylogger when you’re not around.
Most people needn’t worry about hardware keyloggers. As I said, they’re rare, mostly because installation requires physical access to the machine.
But they definitely exist.
This is a relatively new, and to me, fascinating form of compromise.
You’re on a trip, and your mobile phone’s battery is running low, so you find a convenient charging station where you can plug in and top off the battery before you board your aircraft.
Unfortunately, that connection might provide more than power. The connection can actually include malicious hardware surreptitiously placed there by a hacker that could leverage the data connection on your USB connection to examine the contents of your phone or even place malware on it.
It’s not common, but it can happen.
Fortunately, the solutions are simple.
- Never use a public USB connection for anything. You simply don’t know what you’re connecting to.
- Bring and use your wall-charger instead. Assuming you can find a wall outlet, this is a safe way to recharge your device.
- If you must, get and use a “data blocker”, a device through which you make your USB connection, which in turns blocks any data connection attempts.
Always be careful what you connect your device to, be it your mobile phone, tablet, or laptop.
Other types of hardware compromise
These are significantly less common, but I want you to be aware of them.
Technically, this is a software update, but it’s to your hardware: the BIOS in your computer. It’s nearly unnoticeable, and most anti-virus programs can’t detect it. You can reformat your machine completely, and the malware will still be there. The only solution, when this happens, is to re-flash your computer’s BIOS.
If you think your BIOS has been infected, it probably has not. Once folks hear about this possibility, they’re quick to jump to it as a conclusion when malware reappears after a clean rebuild of their machine. What happens much more frequently is simply that you reinstalled the same malicious software you had before.1
Cash Machine Skimmers
While not directly related to the technology you own, this relates to technology you use.
There are malicious devices that can be added to cash machines and credit card machines that read (or “skim”) the information off the card you insert or swipe. When coupled with cameras that record the PIN you type to access your money, the thieves then have enough information to clone your card and access it themselves.
Security researcher Brian Krebs has apparently gotten into the habit of tugging on the card insertion point to make sure it’s not one of these fake devices.
My advice? Tug if you like, but instead, only use your cards in devices in very public places, devices you’re personally already familiar with, and at retailers with which you already have a relationship of trust.
Or stop by the bank in person; I’m sure they’d love to see you.