There are USB chargers in airports, fast food restaurants and even buses these days. But are these public ports secure? If you use one, can your phone or tablet be hacked? We’ve tested it!
Some experts sounded the alarm
Some experts think you should be concerned about using a public USB charging station. Earlier this year, researchers from IBM’s elite penetration testing group, X-Force Red, issued dire warnings about the risks associated with public charging stations.
“Connecting to a public USB port is like looking for a toothbrush on the side of the road and deciding to stick it in your mouth,” said Caleb Barlow, vice president of threat intelligence at X-Force Red. «You have no idea where that thing was.»
Barlow notes that USB ports not only transfer power, but also transfer data between devices.
Modern devices give you control. They shouldn’t accept data from a USB port without your permission — that’s why there is a «Trust this computer?» prompt on the iPhone. . However, the security hole offers a way to bypass this protection. This is not true if you are just plugging a trusted power supply into a standard electrical port. However, when using a shared USB port, you are relying on a connection that can transfer data.
With a little technological trick, you can use the USB port and transfer malware to the connected phone. This is especially true if the device is running Android or an older version of iOS and is therefore behind on its security updates.
It all sounds scary, but are these warnings based on real problems? I dug deeper to find out.
From theory to practice
So, are USB attacks on mobile devices purely theoretical? The answer is an unequivocal no.
Security researchers have long considered charging stations a potential attack vector. In 2011, veteran news journalist Brian Krebs even coined the term «cover-up» to describe exploits that use it. As mobile devices move toward mainstream adoption, many researchers have focused on this one aspect.
In 2011, Wall of Sheep, a side event at the Defcon security conference, deployed charging booths that, when used, created a pop-up on the device that warned of the dangers of connecting to untrusted devices.
Two years later, at the Blackhat USA event, Georgia Tech researchers demonstrated a tool that could disguise itself as a charging station and install malware on a device running the latest version of iOS.
I could go on, but you get the idea. The most pressing question is whether the discovery of the Sokokovs escalated into actual attacks. This is where things get a little dark.
While rolling is a popular area for security researchers, there are hardly any documented examples of attackers using this approach. Much of the media coverage is devoted to proof-of-concepts by researchers who work for institutions such as universities and information security firms. This is most likely because it is inherently difficult to arm a public charging station.
To hack into a public charging station, an attacker would need to obtain certain hardware (such as a miniature computer to deploy malware) and install it to avoid being caught. Try it at a busy international airport where passengers are under scrutiny and security confiscates tools like screwdrivers at check-in. Because of the risks and risks involved, juice crushing is fundamentally unsuitable for attacks directed at the general public.
There is also an argument that these attacks are relatively ineffective. They can only infect devices that are connected to the charging port. In addition, they often exploit security holes that are regularly patched by mobile operating system manufacturers such as Apple and Google.
Realistically, if a hacker spoofs a public charging station, it’s probably part of a targeted attack against a person of high value, not a commuter who needs to fill up a few battery percentages on his way to work.
The purpose of this article is not to downplay the security risks associated with mobile devices. Smartphones are sometimes used to spread malware. There have also been cases of phones getting infected when connected to a computer that has malware installed.
In a Reuters article published in 2016, Mikko Hipponen, who is the de facto public face of F-Secure, described a particularly pernicious strain of Android malware that has affected a European aircraft manufacturer.
“Gipponen said he recently spoke to a European aircraft manufacturer who said that every week he cleans the cockpits of his planes from malware designed for Android phones. The malware only spread to the planes because the factory employees charged their phones through the USB port in the cockpit,” the article says.
“Because the plane has a different operating system installed, nothing will happen. But it will transmit the virus to other devices connected to the charger.”
You buy home insurance not because you expect your house to burn down, but because you need to plan for the worst case scenario. Likewise, you must take reasonable precautions when using computer charging stations. If possible, use a standard wall outlet rather than a USB port. Otherwise, consider charging your portable battery rather than your device. You can also connect a portable battery and charge your phone while charging. In other words, avoid plugging your phone directly into public USB ports whenever possible.
Even though there is a small documented risk, it is always better to be safe than sorry. As a general rule, don’t plug your devices into USB ports that you don’t trust.
RELATED:How to protect yourself from public USB charging ports