Just as water leaks from pipes, so do electrical ones signalfrom USB ports, indirectly exposing sensitive data to a sophisticated attacker, according to new research by scientists at the University of Adelaide in Australia.
The phenomenon is known as “channel-to-channel leakage conversation(channel-to-channel crosstalk leakage) and affects USB devices connected to adjacent ports.
“Electricity flows like the water into pipes and can leak,'' said the project's lead Dr. Yuval Yarom. "In our work, we have shown that the voltage fluctuations of the USB port data lines can be controlled by the neighboring ports for the distributor USB. "
This scenario assumes the existence of a malicious USB device that is connected to a nearby port. The attacker can use this device to monitor the data flow of neighboring ports.
Researchers say an attacker could collect this data and use a connection on the Internet to send them to the attacker's server. Anything that passes in an unencrypted form through adjacent USB ports can be collected.
For the practical side of their research, the scientists used a modified light bulb with a USB connector to record each keystroke on a nearby USB keyboard. They then sent the data to another computer via Bluetooth.
In addition, conducting a USB attack via channel-to-channel crosstalk leakage is not as complicated as many of our readers would think. Numerous studies have shown that users generally have a habit of accepting random USB drives and installing them on personal or corporate computers without considering the security implications.
“Her main message study"Our view is that users shouldn't plug anything into USB if they can't fully trust it," is the researchers' conclusion, and at iguru we fully embrace it.
The full research is not yet publicly available but will be presented under the title "USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs" next week at the USENIX Security Symposium in Canada.