Researchers at the University of Adelaide say that USB connections can leak information, making them less secure than once thought.
Tests were carried on more than 50 different PCs and external USB hubs and 90% were found to leak information to an external USB device.
The team will present a paper on their findings at the USENIX Security Symposium in Vancouver, Canada, next week.
Asked whether this kind of leakage was possible when an USB device was plugged directly into a PC or other device, Dr Yuval Yarom, head of the research project, told iTWire:
{loadposition sam08}"When computers have multiple USB ports they typically (i.e. in all cases we looked) support those through an internal hub. That is, the computer has a hub embedded inside... and this hub allows the computer to support multiple USB ports.
"We have tested both with external hubs and with the internal hubs and found vulnerabilities in both scenarios.
"In particular, we tested direct connections to 34 different computers, including desktops, laptops and all-in-one computers from major brands, such as Lenovo, Apple, Asus and Dell. We found that we could snoop on keystrokes in all but four."
Dr Yarom, a research associate with the University's School of Computer Science, said it had been thought that because information was only sent along the direct communication path to the computer, it was protected from potentially compromised devices.
“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”
The leak was discovered by a student Yang Su, in the School of Computer Science, in collaboration with Dr Daniel Genkin (University of Pennsylvania and University of Maryland) and Dr Damith Ranasinghe (Auto-ID Lab, University of Adelaide).
They used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.
Dr Yarom advised people against just sticking any USB key they found into their own PCs or laptops and suggested that a long-term solution would be to redesign USB connections to improve their security.
“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case," he said. "The USB will never be secure unless the data is encrypted before it is sent.”