Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site hydra.UUCP
Path: utzoo!linus!philabs!cmcl2!harvard!think!mit-eddie!cybvax0!frog!hydra!die
From: die@hydra.UUCP (Dave Emery)
Newsgroups: net.unix-wizards
Subject: Trojan horse terminals
Message-ID: <141@hydra.UUCP>
Date: Wed, 6-Nov-85 23:28:56 EST
Article-I.D.: hydra.141
Posted: Wed Nov  6 23:28:56 1985
Date-Received: Sat, 9-Nov-85 06:33:41 EST
Reply-To: die@crds .UUCP (David I. Emery)
Distribution: net
Organization: Charles River Data Systems, Framingham MA
Lines: 30
Keywords: trojan horse EEPROM battery backup firmware password


	Many modern CRT's include EEPROM or battery backed up CMOS ram
to store configuration information, function key strings and the like.
Almost all use some common microprocessor as a controller increasingly
often running out of cheap socketed EPROMs.

	These components make a sinister combination in the hands of the
wrong person.  It should not be difficult to hack the terminal firmware
to recognize login sequences and the like and quietly save a copy
of the username/password pair in EEPROM or backup ram. 
And a more diabolical hacker could make the terminal appear to
die a few hours after it captured the root password so it would get shipped
back to be repaired (or swapped with another from a less secure area) where
it could be read out.

	Are you sure the terminals you use haven't been tampered with ?

	Programming micros isn't all that difficult, EPROM programmers are
increasingly common and available, and disassembly tools and debuggers
are available for most micros. In some academic settings such hacking used 
to be common. (Perhaps I'm just getting old and the current generation 
doesn't do such things any more).  In any case in business settings where
almost everyone has a terminal on his desk that is more or less
exactly the same as everyone elses this does represent a means of
breaking into a system.

          David I. Emery    Charles River Data Systems   617-626-1102
          983 Concord St., Framingham, MA 01701.
	  uucp: decvax!frog!die