Home Security Adelaide team finds USB connections can leak data

Adelaide team finds USB connections can leak data

Researchers at the University of Adelaide say that USB connections can leak information, making them less secure than once thought.

Tests were carried on more than 50 different PCs and external USB hubs and 90% were found to leak information to an external USB device.

The team will present a paper on their findings at the USENIX Security Symposium in Vancouver, Canada, next week.

Asked whether this kind of leakage was possible when an USB device was plugged directly into a PC or other device, Dr Yuval Yarom, head of the research project, told iTWire: 

"When computers have multiple USB ports they typically (i.e. in all cases we looked) support those through an internal hub. That is, the computer has a hub embedded inside... and this hub allows the computer to support multiple USB ports. 

"We have tested both with external hubs and with the internal hubs and found vulnerabilities in both scenarios. 

"In particular, we tested direct connections to 34 different computers, including desktops, laptops and all-in-one computers from major brands, such as Lenovo, Apple, Asus and Dell. We found that we could snoop on keystrokes in all but four."

Dr Yarom, a research associate with the University's School of Computer Science, said it had been thought that because information was only sent along the direct communication path to the computer, it was protected from potentially compromised devices.

“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”

The leak was discovered by a student Yang Su, in the School of Computer Science, in collaboration with Dr Daniel Genkin (University of Pennsylvania and University of Maryland) and Dr Damith Ranasinghe (Auto-ID Lab, University of Adelaide). 

They used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

Dr Yarom advised people against just sticking any USB key they found into their own PCs or laptops and suggested that a long-term solution would be to redesign USB connections to improve their security.

“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case," he said. "The USB will never be secure unless the data is encrypted before it is sent.”


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.


Popular News