USB charging creates mobile security risk, says Kaspersky
Kaspersky Lab researchers show USB connection can be used to exploit mobile devices
Smartphones are at risk of being hacked when charging from a PC using a standard USB connection, according to Kaspersky Lab.
The security company said that its researchers have proven that connecting an Android or iOS device to a PC or Mac for charging results in a large amount of data being exchanged between devices, and a connection being established that can be exploited by hackers to access the device.
Compromised USB connections were known to have been used in several incidents to steal data, including the Red October attacks of 2013; and also to plant malware on a device. Kaspersky researchers have now studied the extent of the risk through USB connections in a proof-of-concept experiment.
The test results indicate that the mobiles reveal a large amount of data to the computer during the ‘handshake' (a process of introduction between the device and the PC/Mac it is connected to), including the device name, device manufacturer, device type, serial number, firmware information, operating system information, file system/file list, electronic chip ID. The amount of data sent during the handshake varies depending on the device and the host, but each smartphone transfers the same basic set of information, like device name, manufacturer, serial number etc.
This unique identifier data could be useful to an attacker, Kaspersky said, but the company has also proven that hackers can take control of a mobile device using a regular PC and a standard micro USB cable. Researchers made use of ‘AT-commands' (ATtention commands used to get data from modems or mobile devices) to re-flash a smartphone and install a root application on it. This amounts to a total compromise of the smartphone, even though no malware was used.
"It is strange to see that nearly two years after the publication of a proof-of-concept demonstrating how a smartphone can be infected though the USB, the concept still works. The security risks here are obvious: if you're a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware; and, if you're a decision-maker in a big company, you could easily become the target of professional hackers," said Alexey Komarov, researcher at Kaspersky Lab. "And you don't even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet."
Kaspersky Lab advises that the risk can be minimised by only using trusted USB charging points and computers; using password or fingerprint control to lock the device and keep it locked while charging; using encryption technologies and secure containers to protect the data; and ensuring that both mobile and PC have up-to-date security software.