It's Called "Channel-to-Channel Crosstalk Leakage"For their experiment, researchers Yuval Yarom, Yang Su, and Damith Ranasinghe of the University of Adelaide along with Daniel Genkin of the University of Pennsylvania and Maryland tested 50 computers and external USB hubs. They found that 90 percent of the devices they examined can potentially leak information to compromised devices. This vulnerability boils down to several elements. First, many buses, or devices which transmit information to different components of a computer system, don't use encryption and authentication to secure their communication channels. Instead, they depend on a unicast network model to route their messages from the sender to the receiver, something which is known as "upstream traffic." As the Yarom and his colleagues explain in their research paper (PDF):
"Each hub has one upstream port and up to seven downstream ports. Downstream traffic is broadcasted to all of the devices in the tree. However, upstream data is only sent along the (single) path from the transmitting peripheral device to the host. In particular, hubs which are not located on the path between the transmitting peripheral and the host should not be able to observe the peripheral’s upstream USB traffic."But that begged the question: could common communication buses be vulnerable to off-path attacks? Could actors in some way monitor an adjacent USB port from other ports on the same hub? To determine if this "channel-to-channel crosstalk leakage" phenomenon was possible, the researchers connected a USB input keyboard to a hub. They then used an oscilloscope to monitor the data sent from the device to the computer. All the while, they measured the leakage on a different USB port of the same hub. This leakage manifested itself on the D+ or D- differential data signal line relative to the GND line on one of the hub’s other downstream ports. By using signal processing techniques, the researchers were able to decode the information contained in the data line leakage.
"We measured the spy probe’s key recognition rate under various typing speeds. Using a digital metronome as a speed reference, we pressed a random key on every metronome pulse. We evaluated the spy probe’s ability to operate at various typing speeds. As can be seen in Figure 24, the spy probe achieves 97% accuracy rate for typing speeds from 150 KPM (Keypress Per Minute) to 210 KPM. Notice that average adult typing speed is between 36 and 45 words per minutes, equivalent to 200 KPM."
Concluding RecommendationsTo prevent crosstalk leakage and bad actors from capturing it, USB hub manufacturers can optically decouple bus data lines and use a 5V supply for each downstream support. That kind of solution can be expensive. For a cheaper alternative, a LC low pass filter and low dropout regulator could do the trick. The researchers also recommend that the USB protocol adds end-to-end encryption or encryption with a session key to help guarantee the confidentiality and integrity of messages. Those countermeasures, however, overlook the most salient point of the experiment. As Dr. Yarom told the University of Adelaide in a statement:
"The main take-home message is that people should not connect anything to USB unless they can fully trust it. For users, it usually means not to connect to other people's devices. For organizations that require more security, the whole supply chain should be validated to ensure that the devices are secure."For best practices on how to protect your organization's supply chain, click here. You can also hear Dr. Yarom and his colleagues present additional findings from their experiment on 18 August 2017 at the USENIX Security Symposium held in Vancouver, Canada.