Tests on USB connections have shown they are highly susceptible to information “leakage”, making them less secure than previously thought.
Researchers from the University of Adelaide in South Australia tested more than 50 different computers and external USB hubs, and found that more than 90% leaked information to an external USB device.
Because USB-connected devices only send information along a direct communication path to the computer, people have always thought they were protected from potentially compromised devices.
However, Project leader Dr Yuval Yarom, of the University of Adelaide’s School of Computer Science, says the research showed that if a malicious device, or one that’s been tampered with, is plugged into ports adjacent to other USBs, sensitive information can be captured.
“That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.
He described this “channel-to-channel crosstalk leakage” as similar to water leaking from pipes. “Electricity flows like water along pipes, and it can leak out,” he says. “In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub.”
The leak was discovered by University of Adelaide Computer Science student Yang Su, in collaboration with Dr Daniel Genkin (University of Pennsylvania and University of Maryland) and Dr Damith Ranasinghe (Auto-ID Lab, University of Adelaide).
Dr Yarom said other research had shown that 75% of USB sticks dropped on the ground were picked up and plugged into a computer. If they had been tampered with, they could send a message via Bluetooth or SMS to a computer anywhere in the world.
“The main take-home message is that people should not connect anything to USB unless they can fully trust it,” Dr Yarom said.