Other issues in this category (12)
Undercover criminal: About the dangers of charging devices in public places
Tuesday, December 22, 2020
Modern laptops and smartphones, when disconnected from a battery charger, do not work as long as we would like. The promised days of operation turn into a matter of hours after a certain amount of use, and the user is often left to search for a power source. Charger racks, to which you can connect a USB cable and charge your device, are now available in airports, railway stations, and modern metro carriages... After noticing the coveted slot, many are in a hurry to use it: after all, a device can run out of power at the most unexpected moment.
This charging process may seem secure. Theoretically, there is a risk of fire or the risk of getting electrocuted. That's about it. With that said, you may be surprised by the news that in 2019, the Los Angeles County (USA) Prosecutors' Office notified people that cybercriminals can exploit public USB chargers to steal data, noting that tourists should be careful when using such stations in public places. It should be noted that the possibility of attacks occurring from external chargers was demonstrated in the years prior to that notice. For example, in 2016, at the BlackHat security conference, the security report "Mactans: Injecting Malware into iOS Devices via Malicious Chargers" was presented. Even earlier, in 2011, at a DEF CON hacking conference, researchers from Aires Security demonstrated a charging stand and how it can be used to carry out an attack.
Yes, that's right. Attackers have learned to use the charging stations and infect the devices connected to them via USB (or similar) interface. The fact is that in a USB slot, there are lines (in other words, contacts) responsible for data transmission. And there are lines responsible for transmitting the energy that devices require for their operation (from the power supply to the connected computer or smartphone). Cybercriminals use the contacts responsible for exchanging data to hack a device. If their attempt proves to be successful, confidential information can be stolen, or malware or spyware can be installed on the targeted device. This kind of attack is called "Juice jacking".
How can attackers carry this out via public charging stations? One way is to modify the stations on the inside. For example, by replacing standard USB slots with specially prepared ones — hacker chips that can exchange data with connected devices via standard USB data-transmission lines. Or cybercriminals can use the original slots when the respective lines in them haven’t been disabled for security purposes. In this case, the attackers only need to correctly connect the hacking device to an existing port.
Apart from injecting malicious code into official charging stations, cybercriminals can prepare and place (in a park, for example) their own public-looking station.
But that's not all. With electronic equipment getting smaller, criminals can not only install their controller directly in a charging station but also hide it inside a standard-looking cable (one that comes with your device). Who would suspect a hacking tool to be hidden in a standard cable?
Perhaps such attacks can still be called exotic, but cybercriminals can implement them when they have the needed resources and the desire. Especially when it comes to charging stations—for example, in a park, where there are no security services and visitors are unlikely to think about the reliability of the station. Cybercriminals can covertly replace a cable with a version containing a surprise or "forget" it near the charging terminal where it will wait for the next victim. The further success of the hacking will depend on various factors: the presence of vulnerabilities in the device software, the OS installed on it, the changes made to the security settings by the user, etc.
The Anti-virus Times recommends
Our main recommendation is to use your own charger (if possible) to avoid having to use a public one. Or at least turn off your handheld when using a public charger.
If you cannot avoid using a public charger, we recommend that you use cables and adapters that do not have data transmission lines but only a power line. In this case, when connecting to a station, cybercriminals won't be able to inject malicious code into your device and steal information from it.
How can you tell the difference between a standard cable and one that does not support the transfer of data? Do a simple test: use a cable to connect your smartphone to a PC and try to browse files on your mobile from your PC. If you managed to do this, it means that the cable has 4 wires. If not, there are probably only 2 wires and the cable can only be used for charging.
Users should not be particularly worried when buying a cable and a charger in a large store: in this case, the probability of buying a cable that comes with a surprise will be much lower than when buying the same items via Chinese sites from "generic-suppliers" or if a "kind" man on the street offers to loan out his.
Be wary and refuse to charge your device if you are prompted to allow the installation of some software program or add a USB port to your list of trusted devices.
And one more tip: protect your smartphone with an anti-virus. If cybercriminals manage to install something malicious on your device, the anti-virus will notice this.