Description of vulnerability
The Universal Serial Bus, is a straightforward way to connect peripheral devices to each other and computer. The USB is asymmetrical in its topology, consisting of a host, a multitude of downstream USB ports, and multiple peripheral devices connected in a tiered-star topology. A USB host may implement multiple host controllers and each host controller may provide one or more USB ports connecting up to 127 devices. Some of those devices send sensitive information (passwords from keyboards, fingerprint readers, card readers, etc.).
According to research in University of Adelaide, Australia, over 90% of tested 50 different computers and external USB hubs are leaking information to other ports within the hub/device (Su, Genkin, Ranasinghe and Yarom, 2017).
Exploitation case
An attacker:
- manufactures cheap USB devices and includes USB receiver and communications means. Personnel buy these devices and plug them into their computers or USB hubs.
- Manipulates USB memory appliances and leaves them to be found by targeted people. Studies show that 75 % of found memory sticks dropped on the ground were picked and plugged into a computer.
The acquired USB device receives all data that is transferred through the channel between other devices; recognises important data as passwords, ID’s, profiles; and sends them to the adversary.
Mitigation
There are no software updates available to mitigate the problem. The USB standard needs to be redesigned. Meanwhile, the following measures may help to restrict the exploitation:
- End users should be trained not to plug any unknown or unauthorised USB device to their systems
- Armed Forces should ensure that the USB devices provided to them are coming from audited manufacturers, are supplied through controlled supply chains, and are tested before distributed to use.
- Encrypt all traffic that is send over USB