We don't think twice before plugging our phone into a computer or a public charging station when it requires a recharge. This thoughtless and simple act may change now as apparently these public contacts with untrusted charging stations can lead to phone hack, data leaks, theft, ransomware and malware infections.
Charging smartphone with USB? Hackers can hack it in minutes
Using a regular PC, a standard micro USB cable, and a few special commands, Kaspersky experts were "able to re-flash a smartphone and silently install a root application on it." Security researchers managed to compromise the smartphone without using any kind of malware. What more? Hackers could load your smartphones whilst on charging with malware and ransomware without the owner knowing about it.
As soon as you plug your phone into an untrusted computer using a USB cable, data starts transferring between your smartphone and the charger it is plugged into, researchers at Kaspersky Lab have claimed. The amount of data shared between the two devices varies, depending on the device model and connected charger (laptop, charging station, etc). However, during the time your phone is plugged in, the device name, device manufacturer, device type, serial number, firmware information, operating system information, file system/file list, electronic chip ID could all be shared with the connected computer.
[...] experts tested a number of smartphones running various versions of Android and iOS operating systems in order to understand what data the device transfers externally while connected to a PC or Mac for charging. The test results indicate that the mobiles reveal a whole litany of data to the computer during the ‘handshake’ (a process of introduction between the device and the PC/Mac it is connected to).
The security statement gives the following tips to secure your phone and data when you do need to charge your smartphone in airports, cafes or other public spaces:
- Do it using the standard power outlets and not computers
- Protect your mobile phone with a password, fingerprint recognition or any other form of protection
- Use trusted antivirus solutions as they can help you detect malware even if a “charging” vulnerability is used.
- Do not unlock your phone while it's charging.
PCs aren't the only security concerns as the security researchers explained how a smartphone could be infected with malware if plugged into a fake charging station. Kaspersky said that such infections are possible and the same technique has already been used previously by the Hacking Team group in 2013 to load a mobile device with malware.
It is a security issue, the security researchers noted, "Now that smartphones almost always accompany their owner, the device serves as a unique identifier for any third party who might be interested in collecting such data for some subsequent use." Using the initial identification data received from the handshake, the attackers could proceed to install an exploit most effective on the target device. "That would not have been as easy to achieve if smartphones did not automatically exchange data with a PC automatically upon connecting to the USB port," Thursday's statement said.