USB connections not secure
- 저자:Ella Cai
- 에 출시:2017-08-11
USB connections can be snooped, according to the University of Adelaide, which tested more than 50 different computers and external USB hubs and found that more than 90 per cent of them leaked information through channel-to-channel crosstalk.
The team modified a cheap USB-powered novelty lamp to read keystrokes from an adjacent keyboard USB interface, sending the snooped data to another computer via Bluetooth.
Project leader Dr Yuval Yarom, from the University’s School of Computer Science, said it had been thought that, because USB-connected devices only sent information along a direct communication path to the computer, it was protected from compromise. “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.
University of Adelaide computer scientist Yang Su discovered the snooping technique, working with Dr Daniel Genkin (University of Pennsylvania and University of Maryland) and Dr Damith Ranasinghe (University of Adelaide Auto-ID Lab).
Results will be presented in Canada at the USENIX security symposium in Vancouver.
Yarom added that other research had shown that 75 per cent of USB sticks dropped on the ground were picked up and plugged into a computer, and pointed out they could have been tampered with to snoop, sending messages via Bluetooth or SMS.
Rather than USB, he said Bluetooth is a more secure way of transferring information: “The USB will never be secure unless the data is encrypted before it is sent.”
The team modified a cheap USB-powered novelty lamp to read keystrokes from an adjacent keyboard USB interface, sending the snooped data to another computer via Bluetooth.
Project leader Dr Yuval Yarom, from the University’s School of Computer Science, said it had been thought that, because USB-connected devices only sent information along a direct communication path to the computer, it was protected from compromise. “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.
University of Adelaide computer scientist Yang Su discovered the snooping technique, working with Dr Daniel Genkin (University of Pennsylvania and University of Maryland) and Dr Damith Ranasinghe (University of Adelaide Auto-ID Lab).
Results will be presented in Canada at the USENIX security symposium in Vancouver.
Yarom added that other research had shown that 75 per cent of USB sticks dropped on the ground were picked up and plugged into a computer, and pointed out they could have been tampered with to snoop, sending messages via Bluetooth or SMS.
Rather than USB, he said Bluetooth is a more secure way of transferring information: “The USB will never be secure unless the data is encrypted before it is sent.”
