Security researcher warns on smartphone juice-jacking risk

According to Brian Krebs of the Krebs on Security newswire, many of the power stations offer USB-linked charging for free, but whilst the free charge is welcome, there is a risk that the station could be configured to read the data form the handset or, perhaps worse, upload malware to the smartphone.

The good news, he says, is that for most people the risk is not that great, but when he asked security professionals about the potential risk, many reported that they use these kiosks all the time when travelling, but “said they'?d think twice next time, after I mentioned the possible security ramifications of doing so.”

“Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations”, Krebs says in his latest security posting.

But some people, he goes on to say, will brave almost any risk to power up their mobiles.

“In the three and a half days of this year's DefCon, at least 360 attendees plugged their smartphones into the charging kiosk built by the same guys who run the infamous Wall of Sheep, a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks”, he noted.

Krebs quotes Brian Markus, president of Aires Security, as saying that he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of `juicing up' at random power stations.

Markus told Krebs that most smartphones are configured to just connect and dump off data, meaning that anyone could install a system inside one of the power station kiosks that, “when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

To make their DefCon charging station more attractive to DefCon visitors, Markus and his colleagues equipped it with a variety of charging cables to fit the most popular wireless devices. When users plugged their smartphones into the kiosk, the screen on the unit switched on a red warning sign, saying:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

“One guy that clearly seemed stressed and in a hurry to get his phone topped off said, `I don't care, take my data, I need my phone charged to make a phone call' Others said they planned to wipe their phones after leaving the hacker conference anyway”, notes Krebs.

One attendee, meanwhile, said his handset had the USB transfer feature switched off and he would be fine.

“When he plugged in, it instantly went into USB transfer mode, Markus recalls. He then sheepishly said, I guess that setting doesn''t work”, Krebs reports.

There is one ray of hope with using public power stations, however, as Markus told Krebs that some smartphones, when they are powered off and charged, do not expose the data.

Infosecurity notes that the Apple iPhone does not, sadly, appear to fall into this category.

What’s hot on Infosecurity Magazine?