![]() ![]() ![]() ![]() Remember, this is injection of events, not 2-way communication. The issue is that if this can be a broadcast attack, it doesn't need to be successful any more than hacking an ad network needs 100% infection rates - if I can drive up outside a multi-story office building with a cheap adapter at the end of a USB extension cable (and perhaps an appropriate dish) and broadcast "Win-R ", how many of the PCs in window offices will load that site which loads various exploits based on detection of the browser? This is even better than spearphishing because I don't have to worry about getting through email filters, and if I manage it right I know what company/companies I targeted at what time along with my trojan access to one or more computers within those offices. TFA includes "100 meters" and "a $15 USB dongle and 15 lines of Python code" which I could believe. The risk from this could actually turn out to be really high - perhaps not to any individual system, but to an office environment. FW has significant performance advantages over USB, not the least of which is it is fully self-managing whereas USB req Firewire chips (the original 400 MHz versions) were about $25 in wholesale / 1000 qty versus USB 1.1 at around $15. Some may scoff, but virtually any difference in wholesale / production level quantity costs beyond the trivial usually means one wins overwhelmingly over the other. I don't know one way or the other, so this is pure speculation, but it may be a cost issue. If they are too cheap to use an industry standard for their stuff, then I'm suspecting they skimped on security somewhere else. When I see some mouse or keyboard requiring its own dongle, I move on. Yes, it has had its security issues, but after 10+ years, it is pretty robust, and is definitely good enough, assuming proper pairing with 4-6 digit PINs (and re-pairing happens very infrequently.) If one needs more security, it can be handled at the application layer. realistically, why do the wireless keyboard/mouse makers use their own protocol, which is most likely far less secure than something designed by people who know what they are doing? BT is a relatively open protocol that has stood the test of time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |