I worry that this might get flagged as too broad, but here it goes:
Lately I've been thinking about the possibility of loading data on peripheral devices. One of the most used peripherals is the mouse. I realize that there are 101 ways to build a mouse. To refine my question into several, I ask these questions:
- Is it possible to build a mouse without memory? If so, is it typically seen not have memory on a mouse?
- Suppose the mouse did have memory (if this is not an realistic assumption, please point that out), is it typical to see ROM types of memory only? Can the memory be flashed like CMOS memory?
- Has any one seen an computer attack/malware attack from the memory of a mouse?
I ask number three because what I've been thinking of lately is the generalization of the attacks performed by various advanced persistent threats.
Best Answer
Many USB peripherals include flash-based microcontrollers. Although mask-ROM-based microcontrollers are cheaper, use of a flash-based microcontroller may enable a manufacturer to have one board which can go in a variety of OEM products, each of which reports the name under which it is sold. Some peripherals include firmware that allows them to be reprogrammed from the USB port; having them configured that way would allow a manufacturer to pre-program parts in a way suitable for its highest-volume customer and re-program them on demand for other customrs.
If a mouse happens to include a flash microcontroller, it may be possible for a malicious person to reprogram it to behave as a malware-infection device. Because most mice aren't likely to use particularly big microcontrollers, there may not be any room for malware if the mouse is required to be usable as a mouse. On the other hand, it might be possible for some malware to identify a vulnerable mouse and reprogram it in such a way that it would no longer work as a mouse, but would act as an agent of evil when plugged into a non-infected machine [on the theory that someone whose mouse stops working might test it on another computer].
It would in general not be difficult to design a USB peripheral in such a way that once final firmware was loaded it could not be reloaded from the USB port, but there is no general way to distinguish devices which are immune from reprogramming from devices which aren't. It would also be possible to design a "smart USB hub" with a display and some buttons which would, when a device was plugged in, indicate what the device is claiming to be, asking for confirmation before the computer could see the device, and restricting the device's communications to those that were approved for its type, but I don't know if any such smart-hub devices are available.