It is known in the prior art to connect peripheral devices to a computer. These devices include devices such as keyboards, mice, and external storage devices. Such devices are used to transmit data to the computer for use by computer software applications.
These connected peripherals are generally trusted devices, as they are physically attached to the computer. However, a malicious user may disconnect an attached peripheral and attach a device of the user's choosing, and thereby gain access to the data on the computer. Or, the malicious user may connect the device to an open port on the computer, such as a USB port, that is not already occupied by another device. Such connections, for example, permit the user to transmit a virus stored on a USB storage device to the computer, thereby infecting it for the user's gain. Or, the user may download sensitive data from the computer to the storage device without permission.
FIG. 1 is an illustration of a prior art system in which a first device 100 having an attached peripheral 110 uses a computer network 120 to communicate with a remote device 130. In this example system, the first device 100 may be a desktop computer, a laptop computer, a mobile phone such as a smartphone, or any device that is capable of executing an operating system. Peripheral device 110 may be, for example, a keyboard, a mouse, or an external storage device such as a thumb drive, that sends useful data to device 100. Several such peripherals 110 may simultaneously connect to first device 100, as is known in the art.
A user of the first device 100 may wish to communicate with other devices. Typically, this is done by way of a computer network 120, such as the Internet. Computer network 120 allows the first device 100 to communicate with a remote device 130. While the Figure is greatly simplified for the purposes of concise disclosure, computer network 120 may include the user's Internet Service Provider (ISP) and any number or type of computer networking devices, such as bridges, hubs, switches, and routers. Remote device 130 may be any device that is capable of executing an operating system.
As shown above, it is known in the prior art to route data between two devices. For example, the Internet may be used to route data between two computers, or between a computer and a mobile phone. Routers that route data between computer networks may be configured to perform a network address translation (NAT) that translates a routing address in one network into a routing address in a second network. Routers having NAT may be configured to permit or deny data received from a first network from being transmitted on the second network, based on the address of the device transmitting the data on the first network. This arrangement may be used as a firewall to prevent unauthorized data from being transmitted to a computer on the second network. However, it does not prevent a malicious user in the first network from obtaining the list of authorized network addresses. If the user obtains this list, she may transmit unauthorized data to a computer in the second network by creating a network message having a forged (and authorized) routing address. Network routers also operate to route data between computers, not between a computer and a peripheral device, and therefore cannot prevent a malicious user having physical access to the computer from transmitting unauthorized data to its software applications.