External USB hubs are highly vulnerable to data leaks, say researchers

External USB hubs are highly vulnerable to data leaks, say researchers

External USB hubs are highly vulnerable to data leaks, say researchers

External USB hubs are highly vulnerable to data leaks and need to be secured with encryption to ensure data privacy, say researchers at the University of Adelaide.

External USB hubs can be easily tampered with to capture sensitive information from computers where they are plugged in, the researchers added.

A team of researchers at the University of Adelaide recently observed that over 90 percent of external USB hubs leaked information to external USB devices. The team tested over 50 different computers and external USB hubs to see for themselves if USB hubs were really as secure as generally believed.

Malware lurking on USB sticks steals data and hides its tracks with encryption

"If a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” said Dr Yuval Yarom, Research Associate at the University of Adelaide’s School of Computer Science.

USB ports across the world are not only used by people to store their data, but also to connect external keyboards, fingerprint readers, and cardswipers to their computers. Even though they replaced floppy disk and CD drives as the most common external connectors over a decade ago, they continue to remain as the most common interface for connecting external devices to computers.

“Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub,” Dr Yarom added.

USB sticks can also be tampered with by third parties before they are plugged into a computer and can also be modified to send messages via Bluetooth or SMS to any other computer anywhere in the world. The researchers said that Bluetooth is a far more secure way to send and receive information compared to USB hubs.

“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case," said Dr Yarom, adding that USB connections need a complete design overhaul to match the security credentials of Bluetooth, including encryption.

Security testing lab for medical devices coming to the UK soon

“The USB will never be secure unless the data is encrypted before it is sent," he concluded. Dr Yarom and his team of researchers will demonstrate the vulnerability in USB hubs at the USENIX Security Symposium in Vancouver, Canada next week.

Earlier, security experts at ESET have also warned about the presence of malware and Trojans in USB devices that could install themselves and run succesfully in devices where the USBs were plugged in. Last year, a malicious trojan, dubbed USB Thief, could infiltrate select devices and could avoid detection by encrypting some of its files and generating their filenames from cryptographic elements produced from information specific to the USB device.

“After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload," the researchers said.


Copyright Lyonsdown Limited 2020

Top Articles

SITA data breach compromised data associated with multiple international airlines

SIT, has revealed it recently suffered a major cyber attack that compromised information belonging to customers of several airline companies.

COVID-19-forced work shifts prompting shifts in IT priorities

IT and security teams are changing their priorities to adjust with remote work to ensure productivity amidst COVID-19 related lockdowns.

Tips for building a cyber-security war room

Cyber security war rooms are essential but you need the right team of decision makers to be involved & you need to practice a variety of scenarios

Related Articles