Friday, December 4, 2015

Practice Safe Charging, redux



Many portable devices can be charged via a USB cable - incredibly convenient due to the ubiquity of USB slots in computers, cars, airport charging kiosks, and electronic equipment. The USB cables used to charge mobile devices are also capable of transferring data and programs, both legitimately and maliciously.

Miscreants can compromise a USB post in a public place, in an attack known as "juice jacking." The attacker either replaces the USB port, or installs malicious software on the device that contains the port; when you plug your phone or tablet in to charge, you get an unwelcome bonus of having your device taken over by the attacker.

Juice jacking is easy to prevent though. I carry a special power-only cable (readily available for $5 or $10 from Amazon, or most stores with a well-stocked electronics department). This cable is missing the physical wires used for transferring data, so it can only be used to deliver power. An easy alternative is a universal charge-only adapter. This is a simple USB adapter that connects to the end of any USB cable, again missing the physical wires to carry data, thus turning any cable into a charge-only cable.

Bob Covello writes of a different concern, especially in hospitals and medical facilities. A growing number of medical devices have USB ports, used by technicians to maintain the equipment, and used by medical professionals to transfer data and update medical instructions. These ports are a tempting source of power to a patient or visitor.

Plugging your device into medical equipment for a quick charge though could have unintended consequences. These devices are often keeping patients alive, or used in medical emergencies. Plugging a phone or tablet in could damage the devices, or infect the equipment with malware - meaning the device may not work as expected the next time a medical professional uses it.

The best tip? Keep a charging adapter handy and plug into the A/C outlet in the wall.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.