USB connections can "leak" private data to adjacent ports
You'd be forgiven for thinking that wired connections are the way to go if you want to keep the data flowing between peripherals and your computer secure. But researchers have found that the ubiquitous USB connections used to connect all manner of devices to computers are prone to data "leakage" that can compromise data security.
With previous research demonstrating people's propensity to stick USB thumb drives they find on the street into their computers, a research team led by Dr Yuval Uarom at the University of Adelaide's School of Computer Science has given computer users another reason not to connect anything to their computer they don't fully trust.
The team found that over 90 percent of the more than 50 different computers and external USB hubs they tested leaked data to an external USB device in the form of voltage fluctuations. Dr Yarom likens this "channel-to-channel crosstalk leakage" to water leaking from a pipe, with the voltage fluctuations of the USB port's data lines able to be monitored from adjacent ports.
"It has been thought that because that information is only sent along the direct communication path to the computer, it is protected from potentially compromised devices," says Dr Yarom. "But our research showed that if a malicious device or one that's been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured."
Dr Yarom points out that, because USB-connected devices can include keyboards, cardswipers and fingerprint scanners, keystrokes revealing passwords and other private information is susceptible to being stolen.
Demonstrating the potential for security breaches, the team modified a cheap novelty USB lamp to capture every keystroke entered on a USB keyboard plugged into a neighboring USB port. This data was then transmitted to another computer via Bluetooth.
"The main take-home message is that people should not connect anything to USB unless they can fully trust it," says Dr Yarom. "For users it usually means not to connect to other people's devices. For organisations that require more security, the whole supply chain should be validated to ensure that the devices are secure. The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that's not the case. The USB will never be secure unless the data is encrypted before it is sent."
The results of the research will be presented at the USENIX Security Symposium being held in Vancouver, Canada next week.
Source: University of Adelaide