Mobile phone charging via USB could put data at risk

MANILA, Philippines - Data from your mobile phone could be at risk when you charge it using a standard USB connection connected to a computer, security experts from Kaspersky Lab have warned.

To understand what data the device transfers externally while connected to a PC or Mac for charging, the security firm said they tested a number of smartphones running various versions of Android and iOS operating systems.

The test results indicated that the mobiles reveal sensitive data to the computer during the “handshake” or the process of introduction between the device and the PC/Mac it is connected to, including the device name, device manufacturer, device type, serial number, firmware information, operating system information, file system/file list, electronic chip ID.

The amount of data sent during the handshake varies depending on the device and the host, but each smartphone transfers the same basic set of information.

“The security risks here are obvious,” said Alexey Komarov, a researcher at Kaspersky Lab. “If you’re a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware; and, if you’re a decision-maker in a big company, you could easily become the target of professional hackers.” 

“And you don’t even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet,” he added.

Charging mobile phones via USB connected to a computer could put your data at risk, according to Kaspersky Lab.

The security issue could be indirect  as all an attacker could do in some instances is collect a few unique identifiers with a device connected to an unknown computer or charging device.

However, as early as two years ago, Kaspersky Lab said a concept was already presented at Black Hat that a mobile phone could be infected with malware by simply plugging it into a fake charging station.

The security firm successfully reproduced the result this year, concluding that by using just a regular PC and a standard micro USB cable, armed with a set of special commands (so-called AT-commands), the Kaspersky team were able to re-flash a smartphone and silently install a root application on it. This amounts to a total compromise of the smartphone, even though no malware was used.

“It is strange to see that nearly two years after the publication of a proof-of-concept demonstrating how a smartphone can be infected through the USB, the concept still works,” Komarov said.

This technique was also used in 2013 as part of the cyber espionage campaign Red October. Kaspersky said the hacking team group also made use of a computer connection to load a mobile device with malware. That would not have been as easy to achieve if smartphones did not automatically exchange data with a PC automatically upon connecting to the USB port.

Komarov said  the risk of a possible attack through unknown charging points and untrusted computers, mobile phone users should: use only trusted USB charging points and computers to charge the device; protect mobile phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging; and use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data.

Using a proven security solution that could help detect malware even if a “charging” vulnerability is used could also help mitigate risk. 

Mobile malware on the rise

Data from the Kaspersky Security Network (KSN) shows that during the first quarter of the year, over two million mobile malware were detected worldwide.

While China still has the highest number of detected mobile malware infections for Q1 2016, the Philippines is now the 7th most attacked country in terms of this type of cyber threat.

Data from KSN revealed that 15.7 percent or almost two in every 10 Kaspersky Lab security solutions users in the Philippines faced a mobile threat during the period. 

Anthony Chua, Territory Channel Manager for the Philippines and Singapore at Kaspersky Lab Southeast Asia, said with 119 million Filipino mobile phone subscribers, it is not surprising that the Philippines is now among the top 10 most attacked countries with mobile malware among 213 nations included in Kaspersky Security Network.

“The main goal of cybercriminals is to earn and with millions of active smartphone users in the country, the Philippines is like an overflowing pot of gold,” he said.

Also in the top 10 of the most attacked countries are Bangladesh (28 percent), Uzbekistan (21 percent), Algeria (17.6 percent), Nigeria (17.4 percent), India (17 percent), Indonesia (15.6 percent), Ukraine (15.0 percent) and Malaysia (14.0 percent).

Interestingly, the safest countries  were Taiwan (2.9 percent), Australia (2.7 percent) and Japan (0.9 percent).

 Mobile ransomware also increased 1.4 times, from 1,984 in the last quarter of 2015, to 2,895 in the first quarter of 2016. Meanwhile, adware, a form of potentially unwanted software that displays advertisements and collects information about the user’s behavior, is the leading mobile malware during the first three months of 2016.

The share of adware in overall mobile threats in Q1 was 42.7 percent, a 13 percentage point increase compared to the previous quarter. 

The second leading mobile malware was the SMS Trojan (20.5 percent), which steals money by sending text messages from mobile device to premium rate phone numbers.  It was also the second quarter in a row that Kaspersky Lab has seen a growth in the share of detections of this type of mobile malware.

Coming up: A device for charging devices securely

With the inherent risks posed by USB charging and charging in public places, mobile phone users will never let go of these conveniences.

But what if there is a charger that has a USB input on one end and a USB output on the other, with  a touch screen on top so users can activate or deactivate USB data lines? By default only the power lines are active, and no data is transferred. If a USB port requests a connection to transfer data, the device alerts the user, who can opt into or out of the data exchange with a single tap.

This is the concept behind Kaspersky Lab’s Pure.Charger, which also doubles up as a voltage stabilizer for surge protection. Should there be a spike of voltage, it can protect the smartphones’ hardware.

“Our gadget is no different than wearables: it has a screen, a processor, memory, and connectivity modules as well,” Kaspersky Lab said in a news release.

The innovative charger, however, is not yet publicly available. Kaspersky Lab has launched a few weeks ago crowdfunding campaign on Kickstarter to raise funds to bring the device to the mass market.

The company hinted, however, that the Pure.Charger SDK might become publicly available to the developer community to give users the opportunity to enhance or modify its functions.