Universal Serial Bus, is an industry standard that defines cables, connectors and communications protocols for connection, communication, and power supply between computers and devices.
Security researchers from the University of Adelaide discovered that Universal Serial Bus (USB) connections are exposed to information leakage, making them even less secure than has been imagined.
They tested over 50 different computers and external hubs and discovered that most of them are vulnerable to crosstalk leakage effect that indirectly exposing sensitive data to a knowledgeable attacker.
According to researchers:
“We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.”
“USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” says project leader Dr Yuval Yarom, Research Associate with the University of Adelaide’s School of Computer Science.”
Dr Yarom said that “Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub.”
The research (USB Snooping Made Easy) is not yet public and will be shown next week at the USENIX security conference in Vancouver, Canada