Simply Charging Mobile Devices Puts Data at Risk

Mike McEnaney

While data security remains a high priority for the enterprise, the focus of late has been on security risks in the cloud, the security vulnerabilities around IoT and the growing concern over mobile device app attacks. The notion of worrying about what's potentially happening to data when you're charging your smartphone hasn't really been high on the list of things keeping IT departments up at night.

Perhaps it should be.

According to a recent experiment done by Kaspersky Lab, smartphones can indeed be compromised when charged using a standard USB connection to a computer or at a public charging station.  The researchers on this project explain that they became curious over just how safe the data on mobile devices really was when you connected to freely available charging stations at airports, cafes, parks and public transport or to a PC. They explored questions such as what exact data and how much of it a mobile device is exchanging with these stations while it’s charging?

Fatal Handshake?

As part of this research, the company’s experts tested a number of smartphones running various versions of Android and iOS operating systems in order to fully understand what data the device transfers externally while connected to a PC or Mac for charging. The test results indicated that the devices reveal a whole litany of data to the computer during the charging ‘handshake’  including: the device name, device manufacturer, device type, serial number, firmware information, operating system information, file system/file list, electronic chip ID. The researchers claim the amount of data sent during the handshake varies depending on the device and the host, but each smartphone transfers the same basic set of information, like device name, manufacturer, serial number etc. 

These finding beg the question - just how serious a security issue is this for the enterprise?

"This attack vector was shown to be viable a few years ago at Black Hat, so we have no reason to be surprised," said Jon Rudolph, principal software engineer at Core Security. "However the trust interaction for most phones is something the enterprise has to deal with, instead of something they dictate in abstract. Personally I’d love to see the mobile industry develop working clear fine-grained options to enterprises and individuals alike; I know how to use ‘airplane-mode’, when can I get an upgrade to ‘airport-mode’?"

The Black Hat reference Rudolph makes goes back to 2014, when a concept was presented at the Black Hat security conference that a mobile phone could be infected with malware simply by plugging it into a fake charging station. Now, some two years after the original announcement, the team at Kaspersky Lab have been able to successfully reproduce the result. Their experiment, using just a regular PC and a standard micro USB cable, showed they were able to re-flash a smartphone and silently install a root application on it. They explain that this essentially amounts to a total compromise of the smartphone, even though no malware was used.

Plugged In And Vulnerable

"This threat has been flying under the radar for years. In security, we often say that once you have 'hands on a keyboard' it becomes increasingly easier for a hacker to gain access to your laptop," added Bruce Snell, Intel security and privacy director. "However, people don't think twice about the damage that can be done once a phone is plugged into a device."

Perhaps more alarming than recent discovery by Kaspersky Lab is the fact this isn't exactly breaking news in the cybersecurity space.

“It is strange to see that nearly two years after the publication of a proof-of-concept demonstrating how a smartphone can be infected though the USB, the concept still works. The security risks here are obvious: if you’re a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware; and, if you’re a decision-maker in a big company, you could easily become the target of professional hackers,” explained Alexey Komarov, researcher at Kaspersky Lab in a released statement. “And you don’t even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet.”

So then, what can an enterprise do to protect themselves during a time of BYOD and an increasingly growing mobile workforce?

"Today, it’s almost entirely about safe choices the user is making, what they plug into, if they use one of the USB prophylactics available. The enterprises’ role is to educate, provide safe options, and raise awareness. Safety starts in the minds of their people," Rudolph added. "Safe policies can be agreed upon before a risky situation presents itself. The unpopular alternative is an enterprise using technology for the sole purpose of restricting users from making these decisions in the field, making it harder and slower (intentionally) for devices to ‘just work’ when it’s time to get down to business. At the end of the day, no smartphone is an island, it must trust something at upgrade time, but that’s long been a point of confusion with battery-charging sessions which are maliciously morphing into software updates."

Snell added, " The biggest step enterprises can take is to raise awareness of this issue with their employees. All organizations, regardless of size should have regular security awareness training for their employees. Making people think before they plug their mobile device into a random USB port before charging will go a long way towards preventing compromises." 

Covering Your Cyber Tracks

In order to protect yourself from the risk of possible attacks through unknown charging points and untrusted computers, Kaspersky Lab advises the following:

• Use only trusted USB charging points and computers to charge your device;

• Protect your mobile phone with a password, or with another method such as fingerprint recognition, and don't unlock it while charging;

• Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect data;

• Protect both your mobile device and your PC/Mac from malware with the help of a proven security solution. This will help to detect malware even if a "charging" vulnerability is used.