USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs

Authors: 
Yang Su, Auto-ID Lab, The School of Computer Science, The University of Adelaide; Daniel Genkin, University of Pennsylvania and University of Maryland; Damith Ranasinghe, Auto-ID Lab, The School of Computer Science, The University of Adelaide; Yuval Yarom, The University of Adelaide and Data61, CSIRO

Abstract: 

The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path.

We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.

Demonstrating the attackā€™s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {203862,
author = {Yang Su and Daniel Genkin and Damith Ranasinghe and Yuval Yarom},
title = {{USB} Snooping Made Easy: Crosstalk Leakage Attacks on {USB} Hubs},
booktitle = {26th USENIX Security Symposium (USENIX Security 17)},
year = {2017},
isbn = {978-1-931971-40-9},
address = {Vancouver, BC},
pages = {1145--1161},
url = {https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su},
publisher = {USENIX Association},
month = aug
}

Presentation Video