Los Angeles warns of public USB charging stations

[German]A short information for users of mobile devices. The City of Los Angeles warns Americans against using public USB charging stations. They could transfer malware to the device.


Advertising

Public USB charging stations as a risk

In order to enable mobile digital nomads to use their smartphones or tablet PCs, more and more companies are offering public USB charging stations (e.g. in trains, buses, savings banks, airports, etc.).

If you run out of power, plug the charging cable you brought with you to the USB wall port and after a few minutes the battery is partially charged again – or you operate it while traveling in a bus, train, plane, etc. This is practical, but dangerous. It's not just about high voltages at the USB charging port damaging the device.

It is an old hat for security experts, but it cannot be repeated often enough. Cyber criminals could manipulate the USB charging stations. Then the device connected for charging will be infected with malware. As early as 2013, BlackHat showed under the name Mactans how devices can be infected using a manipulated USB charging station.

In my German blog I had first reports in another context in 2014 (see Black Hat 2014: USB-Geräte als Sicherheitsrisiko). Security researchers had managed to manipulate the firmware of USB controllers in such a way that they pretend to be a mouse or keyboard or something else and thus access the operating system. This could be used, for example, to inject malware onto a computer via an USB stick. The USB stick can be used as a virtual keyboard and the malware can be installed in the operating system via simulated keyboard outputs. It is also possible to retrieve data (as a kind of Trojan) with this approach.

In 2016 security researcher Samy Kamkar introduced KeySweeper, an Arduino based device, which is tarned as a working USB charging station. It can wirelessly and passively sniff, decrypt, log and (via GSM) transmit all keystrokes from any nearby Microsoft wireless keyboard. As a result, the FBI has even issued a USA-wide warning to organizations not to use USB charging stations for devices.


Advertising

More modern Android devices automatically switch the USB port to a charge state. Then the danger should also be reduced, but I wouldn't rely on it.

Los Angeles warns of USB charging stations

Now there's a US warning that I recently noticed on Twitter. The Los Angeles County District Attorney warns of USB charging stations as a security risk. Here is the corresponding tweet.

It is not recommended to use public USB charging stations at airports or shopping malls as they could be infected with malware. Apparently, cyber criminals are starting to manipulate such charging stations.

The video above shows that. The malware could lock the phone or the electronic device or send private information such as passwords, addresses or even a complete backup of the phone to crooks. Deputy prosecutor Luke Sisak says:

The malware downloads itself onto the phone and can either monitor the phone in real time, sometimes download information from the phone, sometimes clone the phone completely and you don't even have to use it.

Credit cards, bank account passwords, your home address – everything that users have ever put on the Internet could possibly be stored in the [browser] history on the phone.

This type of attack was given the name "juice jacking". US media such as ZDNet or abc7 then took up the topic in separate articles.

Simple protection ist possible

The most profound advice is to take your own charger with you when you travel. This can then be connected to a normal power outlet with the appropriate voltage using a USB cable and allows a device to be charged without the hazards outlined above. However, wall sockets will not always be available on the road. A charged PowerBank would be an option to keep or charge a smartphone.

The alternative would be to use protection systems for the USB charging cable. Originally introduced under the name USB Condom, there are such a things like SycStop or PortaPow PortaPow Daten Block USB Adapter (Amazon-Affilate-Link) oder Xlayer Adapter, USB Data Sync Blocker (Amazon-Affilate-Link), THEMIS Security USB Daten Blocker Smart Charger (Amazon-Affilate-Link) or as special charging cables, which do not allow data transfer, thus can prevent an infection. These adapters also protect notebooks when an infected mobile device is connected for charging.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *