Just as there is a water leak from pipes, so do the electrical signals from the USB ports, indirectly exposing the sensitive data to an experienced attacker, according to new research by Adelaide University scientists in Australia.
The phenomenon is known as "channel-to-channel crosstalk leakage" and affects USB devices connected to neighboring ports.
"Electricity flows like water into pipes and can leak,", said the project's lead Dr. Yuval Yarom. "In our work, we have shown that the voltage fluctuations of the USB port data lines can be controlled by the neighboring ports for the distributor USB. "
This scenario assumes the existence of a malicious USB device that is connected to a nearby port. The attacker can use this device to monitor the data flow of neighboring ports.
Researchers say that an attacker could collect this data and use an Internet connection to send it to the attacker's server. Anything that goes into an unencrypted format via adjacent USB ports can be collected.
For the practical side of their research, the scientists used a modified light bulb with a USB connector to record each keystroke on a nearby USB keyboard. They then sent the data to another computer via Bluetooth.
In addition, conducting a USB attack via channel-to-channel crosstalk leakage is not as complicated as many of our readers would think. Numerous studies have shown that users generally have a habit of accepting random USB drives and installing them on personal or corporate computers without considering the security implications.
"The main message of our study is that users should not connect anything to USB if they can not fully trust it," the researchers concluded, and at iguru we fully embrace it.
The full research is not yet publicly available but will be presented under the title "USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs" next week at the USENIX Security Symposium in Canada.