Avoid infecting smartphones via USB charging
How secure are freely available smartphone charging stations at airports, in bars or on public transport? Will data stored on the device be disclosed to the outside world in the process? Our experts investigated these and similar questions as part of a feasibility study and came to the conclusion that smartphones can be compromised during the charging process via USB connection.
"The hackers don't even have to be highly skilled to carry out such an attack," says Alexey Komarov, a security researcher at Kaspersky Lab.
In the Kaspersky study, a number of smartphones running various Android and iOS operating systems were examined in the first step to determine what data the device discloses externally during the charging process with a PC or Mac. The test results show: The mobile devices reveal - depending on the device and provider - a range of data to the computer, such as device name, manufacturer, device type, serial number, firmware and operating system information, file system/file list and the electronic chip ID.
The security problem: Smartphones - as a constant companion - thus become interesting for third parties who could be interested in collecting such data in order to subsequently use it for themselves.
"The security risks are obvious: users can be tracked through their devices' IDs and the mobile phone can be secretly infected. Decision-makers at large companies could thus easily become the target of professional hackers," says Alexey Komarov, a security researcher at Kaspersky Lab. "The hackers don't even need to be highly skilled to carry out such an attack, because all the necessary information is easy to find on the Internet."
At the Black Hat conference in 2014, it was already shown that smartphones can be infected with a malware by connecting it to a fake charging station. Experts from Kaspersky Lab have reproduced the scenario. All that was needed was an ordinary PC, a standard micro USB cable and some specific commands (AT command set). This made it possible to secretly install (via "re-flash") a so-called root app on a smartphone. That is, the smartphone was compromised without the use of a malicious program.
Red October and Hacking Team as examples
Although no information about current infection incidents with fictitious charging stations has become known so far, data thefts from mobile devices connected to computers have already occurred in the past. This technique was used, for example, in the "Red October" cyber espionage campaign as well as the "Hacking Team". Both threat actors found a way to exploit the supposedly secure data exchange between smartphone and PC for themselves.
To minimize the risk of a possible attack via unknown charging stations and untrusted computers, users should:
- Use only trusted USB charging stations and computers to charge the mobile device.
- Protect the mobile device with a password or fingerprint recognition and do not unlock it during charging.
- Use encryption technologies and secure containers (isolate data using protected areas on the mobile device)
- protect mobile devices as well as PCs and Macs with the help of a security solution.
More details under https://blog.kaspersky.de
