Top and middle row: Four tested USB hubs and their controller chips found to contain data line crosstalk leakage. Bottom row: Corresponding leakage waveform, yellow (top) trace shows the USB traffic and purple (bottom) trace shows the data line crosstalk leakage measured from an adjacent downstream USB port. (Credit: "USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs," Su et. al., Figure 4)

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

USB devices of uncertain origin can pose a number of risks if plugged into a computer. USB keys containing malware can inject viruses into the system, and altered USB devices can steal, store and send sensitive information. Connecting a device to an unfamiliar USB hub can also be dangerous, as data can flow easily through unencrypted data lines.

Safety measures such as the use of USB “condoms” that block data lines but leave power lines open for charging purposes can protect users from some conventional attacks, such as spying from untrusted public charging stations. But what if USB devices could steal information from nearby USB devices—and what if this information could come through the power lines?

Researchers from the University of Adelaide, University of Pennsylvania and University of Maryland revealed in a recent study and proof-of-concept experiment, presented at the 26th USENIX Security Symposium last month, that many internal and external USB hubs allowed leakage of information from USB devices to other devices plugged into adjacent USB ports, and that this information could be picked up with significant accuracy not only from data lines but also from the power lines of USB wires and devices.

“For the test, we connected a keyboard to a USB port on a computer or on a USB hub, and connected an oscilloscope to an adjacent USB port on the same computer or USB hub,” described Yuval Yarom, University of Adelaide research associate and coauthor of the paper, in an interview with Forensic Magazine. “We then looked for correlation between the signals that the keyboard sends and the signals observed on the adjacent USB port.”

The results of this test, which was performed on over 50 USB hubs, showed that about 94 percent of the internal hubs integrated into computers and 90 percent of external hubs that provide multiple USB ports showed signs of “channel-to-channel crosstalk leakage” to nearby, plugged in devices. Additionally, about 63 percent of hubs tested specifically for data line crosstalk and nearly 59 percent of hubs tested specifically for power line crosstalk showed this leakage from their respective lines.

This means that devices that utilize USB connection purely for power purposes—such as novelty desk ornaments that light up, move or make sound—can still pick up info from neighboring devices such as keyboards. This also means that charging-only USB wires or wires utilizing a USB “condom” to block data lines can still be at risk of malicious snooping from adjacent plugs. 

Measuring powerline crosstalk leakage through a PortaPow USB condom. The right figure is the exprimental setup where a keyboard is connected to the USB hub via the silver wire and the powerline crosstalk leakage in monitored through the PortaPow USB condom (red) via the blue wire. The left figure shows the correponding signals (acquired using an Agilent Infiniium DSO 5454832B oscilloscope) where the top (yellow) trace is the actual USB data and the bottom (blue) trace is the powerline crosstalk leakage. Notice the clear correlation between the two traces. (Credit: "USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs," Su et. al., Figure 8)

The keystrokes of keyboards—which can include sensitive info ranging from addresses and passwords to bank information and personal messages—are not the only form of data that can be stolen through USB crosstalk.

“In the case of a keyboard, it would be the keystrokes. In the case of a USB credit card reader, the information is credit card information. From USB fingerprint readers we get the fingerprint data, etc.,” Yarom explained. All of these scenarios were tested in the research team’s study, with the oscilloscope picking up signal voltages that corresponded closely to what the devices were transmitting. The researchers were able to successfully extract credit card data through crosstalk leakage from a USB magnetic card reader—and although they did not fully decode it for the study, they were able to receive audio from a headset microphone and fingerprint data from a fingerprint scanner that would be “straightforward” to interpret, they write. 

The team also performed a proof-of-concept experiment, constructing a USB device with the outward appearance of a cute novelty ghost-shaped lamp that in reality contained components capable of receiving information leaked from an adjacent USB port and transmitting it via Bluetooth to another computer. The Pac-Man inspired lamp was able to spy on keystrokes from a neighboring keyboard with a 97 percent accuracy rate at typing speeds from 150 keys per minute to 210 keys per minute (the average adult typing speed is approximately 200 keys per minute). 

Demonstration of the researchers' attack. (left) Phrase being typed on the Surface Pro via a USB keyboard. (right) Extracted key presses corresponding to the string “USB CROSSTALK.” (Credit: "USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs," Su et. al., Figure 23)

Novelty USB toys, lamps and decorations such as the one constructed for the experiment could be used as spying tools by hackers who sell them cheaply or give them out to unsuspecting victims. As one study found out in 2016, 98 percent of USB drives dropped in plain sight would be picked up and moved from their drop site, and at least 45 percent would be plugged into a computer and interacted with. This shows that users are vulnerable to curiosity and a lack of caution when it comes to plugging unfamiliar USBs into their computers—and they are left further unprotected by the lack of encryption found in most USB setups, due to the assumption that anything a user plugs into their own computer is trusted, familiar and safe.

“To protect from the attack we describe, users could just disconnect devices that they do not use while typing sensitive information (…) Users can significantly reduce the risks by not plugging their USB devices to computers they do not trust and not plugging USB devices they do not own to their computers. However, this limits the usability of USB, e.g. it prevents transferring files by giving a USB key to a friend. Furthermore, it does not protect from attackers who have the ability to replace USB devices, for example a cleaner who replaces a keyboard during their night shift,” Yarom explained.

“Encrypting USB communication would make the communication between devices and the computer more secure,” he concluded.