Just as water leaks from pipes, so do electrical signals from USB ports, indirectly exposing sensitive data to an experienced intruder, according to new research by scientists at the University of Adelaide in Australia.
The phenomenon is known as “from channel "channel-to-channel crosstalk leakage" and affects USB devices connected to adjacent ports.
"Electricity flows like water into pipes and can leak,", said the project's lead Dr. Yuval Yarom. "In our work, we have shown that the voltage fluctuations of the USB port data lines can be controlled by the neighboring ports for the distributor USB. "
This scenario assumes the existence of a malicious USB device that is connected to a nearby port. The attacker can use this device to monitor the data flow of neighboring ports.
The researchers they say an attacker could collect this data and use an Internet connection to send it to the attacker's server. Anything that passes in an unencrypted form through adjacent USB ports can be collected.
For the practical side of their research, the scientists used a modified light bulb with a USB connector to record each keystroke on a nearby USB keyboard. They then sent the data to another computer via Bluetooth.
In addition, conducting a USB attack via channel-to-channel crosstalk leakage is not as complicated as many of our readers would think. Numerous studies have shown that users generally have a habit of accepting random USB drives and installing them on personal or corporate computers without considering the security implications.
"The main message of our study is that users should not connect anything to USB if they can not fully trust it," the researchers concluded, and at iguru we fully embrace it.
The full research is not yet public, but will be presented under the title “USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs” next week at the USENIX Security Symposium in Canada.