“Just by plugging your phone into a [compromised] power strip or charger, your device is now infected, and that compromises all your data,” Drew Paik, an executive at Authentic8, told CNN.
Ne’er-do-wells with the right skill set can rewire USB charging stations to extract stored data when an unwitting user plugs in a smartphone — a process colloquially known as “juice jacking.” That’s easier said than done — both Android and iOS phones prompt users before a file transfer can begin — but a relatively new attack, “video jacking,” requires a lot less effort on the hacker’s part.
As demonstrated last year by researchers at Krebson Security, the “video jacking” method employs custom electronics hidden inside what appears to be a USB charging station. As soon as a vulnerable phone is connected to the appropriate cord, it’s pretty much game over: The machine records a video of everything tapped, typed, and viewed as long as the handset is plugged in, including PINs, passwords, emails, texts, pictures, and videos. Even worse, it’s completely silent — there’s generally no warning on the phone to alert the user that the device’s video is being piped to another source.
Not every smartphone’s equally vulnerable, to be fair. Certain models of iPhone, Android, and HDMI-ready smartphones from Asus, BlackBerry, HTC, LG, Samsung, and ZTE are at higher risk than others. But it’s an attack to which hundreds of people fall victim every day.
As an experiment, Authentic8 set up a hacked charging station at its RSA security conference booth in San Francisco earlier this week. Over the course of the following few days, it found that an overwhelming majority of attendees — about 80 percent — connected their phones without asking about the security.
“The majority are plugging in no problem. They are at a security conference and they should know better, but they probably feel safe,” Paik told CNET. “The others are making fun of them. They just walk by and say, ‘Do people really do that?'”
The safest alternative to a public power outlet is a portable USB battery pack, or a USB cord that doesn’t transmit data. But generally speaking, you’re safest relying on your own charger.
“If [you’re] concerned about security, don’t use public ports,” Paik told CNET. “If [you’re] desperate and need to upload your selfie, take your chances.”
Editors' Recommendations
- The best wireless phone chargers for your iPhone or Android
- A brand-new Mac can be hacked remotely during its first Wi-Fi connection
- The best portable chargers of 2018
- Faxploitation: Hackers can use old-school printers to invade your home network
- 11 common Google Pixel problems and how to deal with them
