Infosec eggheads rig USB desk lamp to leak passwords via Bluetooth

Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned.

For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals leaking from one port to another; analyzing this leakage opens the door to keylogging attacks in this case.

It means miscreants can potentially read off sensitive info from a computer if they are able to get a booby-trapped thumb drive or some other evil gadget into a victim's machine. It's not a particularly practical or terrifying scenario, but interesting nonetheless – and definitely something to be aware of if you plug your devices into public charging points at, say, airports.

"Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port's data lines can be monitored from the adjacent ports on the USB hub," said Dr Yuval Yarom, research associate with the University of Adelaide's School of Computer Science, on Thursday.

"But our research showed that if a malicious device or one that's been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen."

The research, to be presented at next week's USENIX security conference in Vancouver, Canada, found that over 90 per cent of the 50 or so USB devices tested by the team could be read using what they call a "channel-to-channel crosstalk leakage" attack.

For the experiment, a novelty USB desk lamp was modified so that could collect the data from a keyboard plugging into an adjacent port. The keystrokes were sent via Bluetooth to a separate computer and analyzed using software to decode the keypresses and thus snoop on whatever usernames, passwords and other sensitive info was being typed.

"The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that's not the case. The USB will never be secure unless the data is encrypted before it is sent," Yarom said.

"The main take-home message is that people should not connect anything to USB unless they can fully trust it. For users it usually means not to connect to other people's devices. For organizations that require more security, the whole supply chain should be validated to ensure that the devices are secure." ®