USB’s shared bus architecture exhibits congestion patterns induced by device activity, which—due to the protocol stack’s lack of side-channel mitigations—enables remote side-channel attacks. This work identifies a previously unaddressed vulnerability in USB’s bandwidth arbitration mechanism, challenging the long-standing assumption that physical isolation guarantees USB security. Method: We propose a non-intrusive side-channel framework integrating USB traffic timing modeling, cross-device congestion feature extraction, machine learning–based classification, and passive bus monitoring. Contribution/Results: Evaluated on real hardware, our approach achieves >92% accuracy in real-time activity recognition across 12 mainstream USB device classes (e.g., keyboards, webcams, storage devices). It successfully infers keystroke content and video playback states covertly. This constitutes the first systematic extension of congestion-based side-channel attacks to the USB standard, establishing a new paradigm and empirical foundation for enhancing USB protocol security.

The USB protocol has become a ubiquitous standard for connecting peripherals to computers, making its security a critical concern. A recent research study demonstrated the potential to exploit weaknesses in well-established protocols, such as PCIe, and created a side-channel for leaking sensitive information by leveraging congestion within shared interfaces. Drawing inspiration from that, this project introduces an innovative approach to USB side-channel attacks via congestion. We evaluated the susceptibility of USB devices and hubs to remote profiling and side-channel attacks, identified potential weaknesses within the USB standard, and highlighted the critical need for heightened security and privacy in USB technology. Our findings discover vulnerabilities within the USB standard, which are difficult to effectively mitigate and underscore the need for enhanced security measures to protect user privacy in an era increasingly dependent on USB-connected devices.