Home Security Adelaide team finds USB connections can leak data

Adelaide team finds USB connections can leak data

Researchers at the University of Adelaide say that USB connections can leak information, making them less secure than once thought.

Tests were carried on more than 50 different PCs and external USB hubs and 90% were found to leak information to an external USB device.

The team will present a paper on their findings at the USENIX Security Symposium in Vancouver, Canada, next week.

Asked whether this kind of leakage was possible when an USB device was plugged directly into a PC or other device, Dr Yuval Yarom, head of the research project, told iTWire: 

"When computers have multiple USB ports they typically (i.e. in all cases we looked) support those through an internal hub. That is, the computer has a hub embedded inside... and this hub allows the computer to support multiple USB ports. 

"We have tested both with external hubs and with the internal hubs and found vulnerabilities in both scenarios. 

"In particular, we tested direct connections to 34 different computers, including desktops, laptops and all-in-one computers from major brands, such as Lenovo, Apple, Asus and Dell. We found that we could snoop on keystrokes in all but four."

Dr Yarom, a research associate with the University's School of Computer Science, said it had been thought that because information was only sent along the direct communication path to the computer, it was protected from potentially compromised devices.

“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”

The leak was discovered by a student Yang Su, in the School of Computer Science, in collaboration with Dr Daniel Genkin (University of Pennsylvania and University of Maryland) and Dr Damith Ranasinghe (Auto-ID Lab, University of Adelaide). 

They used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

Dr Yarom advised people against just sticking any USB key they found into their own PCs or laptops and suggested that a long-term solution would be to redesign USB connections to improve their security.

“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case," he said. "The USB will never be secure unless the data is encrypted before it is sent.”

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.