USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs

TitleUSB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
Publication TypeConference Proceedings
Year of Conference2017
AuthorsSu, Y., D. Genkin, D. C. Ranasinghe, and Y. Yarom
Conference NameUSENIX Security Symposium
Date Published2017

The Universal Serial Bus (USB) is the most prominentinterface for connecting peripheral devices to computers.USB-connected input devices, such as keyboards, cardswipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to thecomputer, it was hitherto thought to be protected frompotentially compromised devices outside this path.We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheraldevices located off the communication path to captureand observe sensitive USB traffic. We also show that inmany cases this crosstalk leakage can be observed on theUSB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USBtraffic when connected to a vulnerable internal or a external USB hub.