Wednesday, June 5, 2013

Practice Safe Charging

This is not exactly a new topic, but it is one that has gained a new round of publicity this week following some recent research.

How are most portable electronic devices charged? Through a USB cable. What else can USB be used for? Data storage (flash drives and external hard drives), peripheral devices (mice and keyboards), and more. What makes USB devices so convenient? They are generally plug-and-play, with software drivers built-in to the device and automatically loaded when you connect to a PC. Do you see a potential problem?

Two years ago, three researchers built a demonstration “charging kiosk” at DefCon, a massive hacker / computer security conference in Las Vegas. The charging kiosk did in fact provide electricity, but it also took advantage of the properties of USB to demonstrate access to data on the device (generally a smartphone, which could be a gold mine for an attacker). In the demonstration, the kiosk merely showed that it could access data, and then displayed a warning message to the user. A truly malicious charging station would not be nearly so kind.

This week, three researchers published a brief for a presentation they will deliver at Blackhat this summer. Their presentation will demonstrate installing malicious software onto a current-generation Apple device (off-the-shelf, not jailbroken, and without user interaction).

In the past couple of years, public USB charging stations have become increasingly common – at airports, in taxis, at bus stops. Certainly not every charging station is malicious - it is likely very few if any are - but this research shows how such conveniences can be abused for ill gain. As in all aspects of life, it pays to understand risk so we can take appropriate action (or consciously accept the risk).

There is a ridiculously simple way to minimize this particular risk. A standard USB cable (sometimes referred to as “Sync and Charge”) will both provide electricity and transfer data.  Inside the cable insulation are several tiny wires (the number varies according to the USB version). A visually-identical charge-only cable is missing the wires and/or pins that transfer data, so it is physically only capable of providing electricity. $5 or $10 for a charge-only cable is cheap insurance against this type of attack.

I look forward to the presentation to see other suggestions the team has.

Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.

A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen