External USB hubs are highly vulnerable to data leaks and need to be secured with encryption to ensure data privacy, say researchers at the University of Adelaide.
External USB hubs can be easily tampered with to capture sensitive information from computers where they are plugged in, the researchers added.
A team of researchers at the University of Adelaide recently observed that over 90 percent of external USB hubs leaked information to external USB devices. The team tested over 50 different computers and external USB hubs to see for themselves if USB hubs were really as secure as generally believed.
“If a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” said Dr Yuval Yarom, Research Associate at the University of Adelaide’s School of Computer Science.
USB ports across the world are not only used by people to store their data, but also to connect external keyboards, fingerprint readers, and cardswipers to their computers. Even though they replaced floppy disk and CD drives as the most common external connectors over a decade ago, they continue to remain as the most common interface for connecting external devices to computers.
“Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub,” Dr Yarom added.
USB sticks can also be tampered with by third parties before they are plugged into a computer and can also be modified to send messages via Bluetooth or SMS to any other computer anywhere in the world. The researchers said that Bluetooth is a far more secure way to send and receive information compared to USB hubs.
“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case,” said Dr Yarom, adding that USB connections need a complete design overhaul to match the security credentials of Bluetooth, including encryption.
“The USB will never be secure unless the data is encrypted before it is sent,” he concluded. Dr Yarom and his team of researchers will demonstrate the vulnerability in USB hubs at the USENIX Security Symposium in Vancouver, Canada next week.
Earlier, security experts at ESET have also warned about the presence of malware and Trojans in USB devices that could install themselves and run succesfully in devices where the USBs were plugged in. Last year, a malicious trojan, dubbed USB Thief, could infiltrate select devices and could avoid detection by encrypting some of its files and generating their filenames from cryptographic elements produced from information specific to the USB device.
“After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload,” the researchers said.