USB connections are prone to leaking data, according to a group of researchers from the University of Adelaide.
The researchers are presenting their finding at the USENIX Security Symposium in Canada.
“We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic,” states the abstract of their paper, USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs.
“We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.”
The researchers used a USB-connected novelty lamp to read key strokes from a USB keyboard plugged into an adjacent port using the voltage fluctuations of the port’s data lines. Data was sent to another computer via Bluetooth.
“USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” said project lead Dr Yuval Yarom, a research associate with Adelaide Uni’s School of Computer Science.
“It has been thought that because that information is only sent along the direct communication path to the computer, it is protected from potentially compromised devices.
“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”
The leak was discovered by Adelaide Uni student Yang Su, who worked with Dr Daniel Genkin from the University of Pennsylvania and University of Maryland, and Dr Damith Ranasinghe also from Adelaide Uni.
Yarom said that USB connections should be redesigned.
“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case,” the researcher said.
“The USB will never be secure unless the data is encrypted before it is sent.”