Aussie researchers find easy way to steal sensitive data via USB

Australian researchers are warning that USB interfaces can be easily used to silently capture sensitive user data such as keystrokes from computers by monitoring electric crosstalk leakage.

Yang Su, Yuval Yarom, and Damith Ranasinghe from the University of Adelaide, together with Daniel Genkin from the University of Pennsylvania, tested 50 different computers and external USB hubs and found that nine out of ten devices were vulnerable to the crosstalk issue [pdf].

They found that USB data buses do not use security measures such as authentication and encryption, instead they rely on a unicast network model.

It means messages are physically routed along the path from the sender to all devices connected on the USB bus. 

Traditionally the assumption has been that devices cannot snoop on information sent to a host system via USB, since data flows only through hubs until it reaches the end point, but the researchers have now shown this is flawed.

To demonstrate the flaw, they monitored the minute variations in the electrical properties of a USB connection to capture keyboard strokes, UoA research associate Yuval Yarom told iTnews.

USB crosstalk monitoring demo setup

"In the experimental setup, the novelty lamp and the keyboard are connected to the same hub - note that the hub could be internal to the computer, in which case the lamp and the keyboard are just connected to two USB ports on the computer," Yarom said.

"Because these [electrical] variations are the result of the keyboard communicating with the computer, monitoring the variations reveals the keystrokes.

"The lamp then sends the keystroke information via Bluetooth to a different computer."

The researchers tested USB 2.0 and 3.0, but not USB-C devices, Yarom said.

To mitigate against attacks, the researchers devised a "USB condom" which filters out signals over 300 Hertz, and decouples USB power lines from data lines.

This reduces data line crosstalk significantly, meaning it would take much more sensitive equipment to successfully snoop on user communications.

Adding end-to-end encryption would also protect against snooping, but USB devices would need sufficient computational power to perform public key operations, the researchers said.

As a general protective measure, the researchers warned users not to plug in USB devices they do not trust into their computers.

USB might not be the only bus susceptible to crosstalk attacks, and more research is needed to check for vulnerabilities on other communications networks.