34

Is it possible for a (malicious) (hardware) USB device to access all the data that is transferred through the USB bus and then read/store this information, essentially sniffing all transferred data? Or is the USB bus switched and only sends data to the correct recipient, i.e. only allowing the intended recipient to read it?

Adi
  • 43,808
  • 16
  • 135
  • 167
user1049697
  • 1,107
  • 2
  • 10
  • 15

2 Answers2

25

Most likely yes, but it depends

Much like PATA, SCSI, and Ethernet devices, USB devices don't directly connect to the computer. They connect to a Host Controller that manages all signaling and communication. All ports are connected to something called a Root Hub, and to each Root Hub you may connect other hubs and subsequently more hubs.

Each of these hubs have multiple downstreams and exactly one upstream. "What does that mean?" you ask. Well, it means that whatever data sent by the hub is sent to all child hubs and devices, while data sent by the hubs and devices are only sent "upwards" to Root Hub.

So, if a number of devices are connected to ports that lead to the same Root Hub (they're all controlled by the same Host Controller), then any of the devices can sniff the data only in the direction Computer -> Device.

In my laptop, for example, the ports on the right side are controlled by a Host Controller, and the ports on the left side are controlled by another Host Controller.

enter image description here

Meaning that data sent to any device on the right side can be sniffed by any device on the right side, but not devices connected to the left side.

I remember a colleague of mine modifying a USB stick to prevent it from ignoring data sent to other devices. So if you plug that modified USB stick to a computer, you can capture all the files copied to other USB sticks on the same computer.

Update:

@Polynomial's comment made me question the whole answer, since my information is based on my colleague's description. To be sure, I tried to find some reference. I dug in the USB specs and I found this:

enter image description here ... In the downstream direction, hubs operate in a broadcast mode. When a hub detects the start of a packet on its upstream facing port, it establishes connectivity to all enabled downstream facing ports. If a port is not enabled, it does not propagate packet signaling downstream.

Also, a TOTAL PHASE KB article seems to agree

USB 2.0 works through a unidirectional broadcast system. When a host sends a packet, all downstream devices will see that traffic. If the host wishes to communicate with a specific device, it must include the address of the device in the token packet. Upstream traffic (the response from devices) are only seen by the host or hubs that are directly on the return path to the host.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • I'm pretty sure this isn't true. The host controller manages 1:1 connections to each of the child devices back to the root USB controller. These connections may not be full-duplex, but as far as I'm aware they aren't shared buses. They're physically separated and don't do broadcast. – Polynomial Jun 24 '13 at 10:59
  • *"Each of these hubs have multiple downstreams and exactly one upstream [...] it means that whatever data sent by the hub is sent to all child hubs and devices, while data sent by the hubs and devices are only sent upwards to Root Hub."* - this is definitely incorrect. USB uses unique addressing for downstream and horizontal traffic, and round-robin polling to determine who gets to send upstream traffic back to the root host. There's no downstream broadcast. – Polynomial Jun 24 '13 at 11:07
  • @Polynomial Hmmm.. My understanding of this comes from my colleague's explanation of the whole process. But I've seen it with my own eyes how data copied to one USB stick are mirrored on the other. Although, now that you say it, I _could_ be wrong because the demonstration was on two USB sticks connected to an external USB hub. Do external USB hubs behave differently? – Adi Jun 24 '13 at 11:08
  • 3
    I think it's to do with the differentiation between *control* and *data* packets, which can both be broadcast and unicast data. The spec doesn't explicitly prevent either from being broadcast, but by default the data packets *should* be unicast. I'd imagine one of the USB sticks designated itself master, and the other slave, and relayed the unicast traffic horizontally. – Polynomial Jun 24 '13 at 11:22
  • @Polynomial Adi is correct. USB uses half-duplex broadcast. – forest May 11 '18 at 00:56
  • @Polynomial Actually to be more specific, Adi is correct only for USB 2.0. [3.0](http://www.usbtips.com/usb-3-0-specifications-superspeed-data-flow-model/) is dual-simplex unicast. – forest Nov 28 '18 at 09:32
9

The answer by Adnan is correct. However to complete the picture, for superspeed mode in Usb3.0, the packets downstream are routed by the hub instead of broadcast unlike usb2.0.

Do note that the usb3.0 hub consists of the usb2.0 portion and a separate superspeed portion. The usb2.0 portion of the superspeed hub operates in broadcast mode as before.

In short, the contents you write to a drive running in superspeed mode cannot be snooped.

Linus kerk
  • 91
  • 2