USB phone charging a security risk?

Many modern cellular phone use USB plug for charging and many places offer nowadays charging possibility. But plugging your phone into an untrusted USB cable is, indeed, a security risk according to Juicejacking – an emergency phone charge can be a security risk article. The article fortunately tells that it’s easy to avoid the risk in both directions: Always carry and use the charging adapter which came with your device and use it instead of charging station. It’s a lot safer than trusting an unknown cable hanging out of an unknown cabinet in a public place

GS_portable_hard_disk

4 Comments

  1. Tomi Engdahl says:

    Please stop charging your phone in public ports
    http://money.cnn.com/2017/02/15/technology/public-ports-charging-bad-stop/

    I know the feeling: Your battery is low, but you have to keep tweeting. You see a USB port or an outlet in public, plug in your device and feel the sweet relief of your phone charging.

    That comfort could be shattered by an invisible attacker collecting information while your phone is plugged in to a hacked outlet.

    “Just by plugging your phone into a [compromised] power strip or charger, your device is now infected, and that compromises all your data,” Drew Paik of security firm Authentic8 explained. Authentic8 makes Silo, a secure browser that anonymizes web activity.

    Public charging stations and wi-fi access points are found in places like airports, planes, conference centers and parks, so people can always have access to their phones and data. But connecting your phone to an unknown port has its risks.

    The cord you use to charge your phone is also used to send data from your phone to other devices.

    If a port is compromised, there’s no limit to what information a hacker could take, Paik explained.

    And yet despite the risks, people do it all the time. Even at prominent security conferences.

    The company ran an informal social experiment to see how many people would use the public charging stations. Paik said an overwhelming number of attendees — about 80% — connected their phones without asking about the security.

    “The majority are plugging in no problem. They are at a security conference and they should know better, but they probably feel safe,” he said. “The others are making fun of them. They just walk by and say, ‘Do people really do that?’”

    Reply
  2. Tomi Engdahl says:

    BadPower attack corrupts fast chargers to melt or set your device on fire
    https://www.zdnet.com/article/badpower-attack-corrupts-fast-chargers-to-melt-or-set-your-device-on-fire/

    Attackers can alter the firmware of fast charger devices to deliver extra voltage and damage connected equipment.

    Chinese security researchers said they can alter the firmware of fast chargers to cause damage to connected (charging) systems, such as melt components, or even set devices on fire.

    The technique, named BadPower, was detailed last week in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent.

    According to researchers, BadPower works by corrupting the firmware of fast chargers

    A fast charger looks like any typical charger but works using special firmware. This firmware “talks” to a connected device and negotiates a charging speed, based on the device’s capabilities.

    If a fast-charging feature is not supported, the fast charger delivers the standard 5V, but if the device can handle bigger inputs, the fast charger can deliver up to 12V, 20V, or even more, for faster charging speeds.

    The BadPower technique works by altering the default charging parameters to deliver more voltage than the receiving device can handle, which degrades and damages the receiver’s components, as they heat up, bend, melt, or even burn.

    When the user connects their infected smartphone or laptop to the fast charger, the malicious code modifies the charger’s firmware, and going forward the fast charger will execute a power overload for any subsequently connected devices.

    RESEARCHERS TESTED 35 FAST CHARGERS, FOUND 18 VULNERABLE
    The Tencent team said they verified their BadPower attack in practice. Researchers said they selected 35 fast chargers from 234 models available on the market and found that 18 models from 8 vendors were vulnerable.

    The good news is that “most BadPower problems can be fixed by updating the device firmware.”

    Researchers said that 18 chip vendors did not ship chips with a firmware update option, meaning there was no way to update the firmware on some fast charger chips.

    Suggestions to fix the BadPower problem include hardening firmware to prevent unauthorized modifications, but also deploying overload protection to charged devices.

    A demo video of a BadPower attack is available at the bottom of the Tencent report

    https://xlab.tencent.com/cn/2020/07/16/badpower/

    Reply
  3. Tomi Engdahl says:

    Why is Juice Jacking Suddenly Back in the News?
    https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/
    The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas whod set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*