Researchers at the University of Adelaide have shown that when it comes to data protection, USB connections and USB sticks could prove to be the weakest link in the chain. According to the researchers, external USB drivers are “vulnerable to information leakage,” raising more concerns around their security.
The researchers discovered that out of the 50 computers and external USBs they tested, over 90 per cent leaked information to another external USB drive, which is a fairly high percentage. “USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” said project leader Dr Yuval Yarom, Research Associate with the University of Adelaide’s School of Computer Science in a press statement.
“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” he added.
The computer scientists have compared such data leaks to like water leaking from pipes. According to them, “voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub.”
In their tests, the researchers used a modified “cheap novelty plug-in lamp with a USB connector to read every key stroke from the adjacent keyboard USB interface. ” What happened in this case was that data from the Bluetooth connected keyboard was sent to another computer. Given the the popularity of such devices, the research raises some serious questions around their security.
The researchers also added users tend not to worry about the possibility of tampered USB sticks and are happy to plug them in their device. However, the scientists warn such USB sticks could be used to “send a message via Bluetooth or SMS to a computer anywhere in the world.”
“The main take-home message is that people should not connect anything to USB unless they can fully trust it,” says Dr Yarom. “For users it usually means not to connect to other people devices. For organisations that require more security, the whole supply chain should be validated to ensure that the devices are secure.” He added that in the future perhaps USB connections will have be redesigned for boosting security. Data should also be encrypted before it is sent via these devices.