If you regularly rely on public charging stations and borrowed cables to charge your smartphone, you could be setting yourself up to be hacked.
At the 2017 RSA Conference in San Francisco, security company Authentic8 performed a social experiment in which they offered a free charging station with cords and adapters to attendees. What they observed was that roughly 80% of people used the charging station without asking about security.
On Wednesday, CNN reported on the experiment, claiming that phone data could be stolen while a phone was plugged into a “hacked outlet,” and urging smartphone users to avoid plugging into “public outlets.” However, that language is a little confusing, so we reached out to some security experts to help break down the actual threat.
The biggest concern is what is meant by the word “outlet,” as most people could throw that word around while referencing many pieces of hardware involved with charging. But for this story, we are referring to an outlet as a three-pronged power outlet, like the kind you find on the wall in your home.
Drew Paik, the head of marketing for Authentic8, explained that the threat has to do with USB cables, USB power adapters, and USB ports: Not wall power outlets.
“I’m not aware of anything that’s going to be able to infect you via an AC outlet, but random cables or random adapters can definitely be used to take over or exploit your phone, your mobile devices, or your laptops, or anything else you might plug into it,” Paik said. “It’s really just a two-way conduit at some point—power and data.”
Engin Kirda, a professor of computer science at Northeastern University, said that a wall outlet or a three-prong surge protector connected to an outlet could be compromised, in theory, but “such an attack would typically be complex and very targeted.” Kirda also said that an attack of that nature would be very difficult to pull off.
USB, on the other hand, is much more capable of being used to steal data, as it is already designed to transfer data as well as provide charge. According to a Kaspersky Lab spokesperson, when a mobile device connects to a USB port, it attempts what is known as a “handshake,” at which time some data is transmitted.
“Even when a mobile phone is in ‘charging only’ (locked) mode, it can still transmit the device name, vendor name and serial number to the system behind the USB port, and more based on the platform and operating system of the phone,” the Kaspersky Lab spokesperson said.
So, how do you protect yourself? Kirda said that some phones will warn users when a USB, connection has been established. But, you shouldn’t depend on your OS to keep you safe, Paik said. Instead, it is best to just assume everything is already compromised, he added.
To best protect yourself, use your own USB cable and your own USB power adapter, and plug them directly into the wall power outlet. If you cannot find a wall outlet, use a trusted portable battery pack instead.
If you don’t have a power adapter, avoid random USB ports, as they may put you at risk.
“A USB port can be a system that gathers data about the devices that are connected to it, a flawed power source, a powerful capacitor, or a computer that installs a backdoor on your device,” the Kaspersky Lab spokesperson said. “You simply cannot know before you plug in your device—so don’t.”
Additional tips Kaspersky Lab recommended were not to unlock and use the phone while charging, to utilize proper encryption when possible, and to potentially look into using secure containers.
What the Authentic8 experiment demonstrates is that most smartphone users don’t take their security seriously enough. In fact, Paik said that one woman left her phone at the booth unattended for more than five minutes because “it [didn’t] have anything important on it.”
“Casual attitudes towards our devices, whether USB adapters or WiFi, can jeopardize our data,” Paik said. “And everyone has data that is valuable.”
Source: SANS ISC SecNewsFeed @ February 16, 2017 at 01:24PM