How are most portable electronic devices charged? Through a
USB cable. What else can USB be used for? Data storage (flash drives and
external hard drives), peripheral devices (mice and keyboards), and more. What
makes USB devices so convenient? They are generally plug-and-play, with
software drivers built-in to the device and automatically loaded when you
connect to a PC. Do you see a potential problem?
Two years ago, three researchers built a demonstration “charging kiosk” at DefCon, a massive hacker / computer
security conference in Las Vegas. The charging kiosk did in fact provide
electricity, but it also took advantage of the properties of USB to demonstrate
access to data on the device (generally a smartphone, which could be a gold
mine for an attacker). In the demonstration, the kiosk merely showed that it
could access data, and then displayed a warning message to the user. A truly
malicious charging station would not be nearly so kind.
This week, three researchers published a brief for a presentation they will deliver at Blackhat this summer. Their
presentation will demonstrate installing malicious software onto a
current-generation Apple device (off-the-shelf, not jailbroken, and without
user interaction).
In the past couple of years, public USB charging stations have become increasingly common – at airports, in taxis, at bus stops. Certainly not every charging station is malicious - it is likely very few if any are - but this research shows how such conveniences can be abused for ill gain. As in all aspects of life, it pays to understand risk so we can take appropriate action (or consciously accept the risk).
There is a ridiculously simple way to minimize this particular risk. A standard
USB cable (sometimes referred to as “Sync and Charge”) will both provide
electricity and transfer data. Inside
the cable insulation are several tiny wires (the number varies according to the
USB version).
A visually-identical charge-only cable is missing the wires and/or pins that
transfer data, so it is physically only capable of providing electricity. $5 or
$10 for a charge-only cable is cheap insurance against this type of attack.
Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.
A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.
