University of Adelaide School of Computer Science’ research team led by Dr. Yuval Yarom has identified that about 90% of external USB hubs and computer systems can leak information to external USB devices. This information exposure is attributed to electronic crosstalk, which the team referred to as “channel-to-channel crosstalk,” between the linked components.
Researchers tested 50 computers and external USBs, and it was learned that 90 percent of them leaked sensitive information such as keystrokes to another external USB drive. This percentage is relatively high. Research team stated that USB connections and USB sticks might just be the weakest link when it comes to data protection. They have regarded external USB drives as “vulnerable” devices that cause “information leakage.”
The study has raised concerns over the reliability of external devices. According to Dr. Yarom USB-connected devices such as “keyboards, card swipers and fingerprint readers” usually send sensitive information to computers and their research verified the notion that if an infected or tampered device is plugged into adjacent ports of the same internal USB hub or external USB drive, then this would result in leakage of sensitive information. The information that can be exposed include keystrokes, which is rather alarming as it would give away passwords and private data to threat actors.
Researchers have compared the data leak with water leakage from pipes and state that voltage fluctuations on data lines of the USB ports can be easily monitored from the adjacent ports.
“Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub.”
For their study, the research team utilized a modified, cheap “plug-in lamp with a USB connector” to monitoring every single key stroke from the “adjacent keyboard USB interface.”
They identified that data from the keyboard, which was connected via Bluetooth, was sent to another computer. They added that since these devices are so commonly used and users never give attention to the possibility of USB sticks being tampered might lead to exposing their private data to any computer around the globe through SMS or Bluetooth.
Dr. Yarom stated that it is important to redesign USB connections to ensure optimal security and data must also be encrypted before being sent to another device through USBs. He also suggested that users must take notice of their research and use such devices carefully.
“The main take-home message is that people should not connect anything to USB unless they can fully trust it. For users, it usually means not to connect to other people devices. For organizations that require more security, the whole supply chain should be validated to ensure that the devices are secure.”
A student at the University of Adelaide Yang Su, University of Maryland and University of Pennsylvania’s Dr. Daniel Genkin and Dr. Damith Ranasinghe from the University of Adelaide were other participants of the research. The team will be unfolding their findings at the USENIX Security Symposium being held in Vancouver, Canada from 16 to 18 August 2017.