TL;DR: Never trust a public USB socket. If you are forced to use one, use a power-only USB cable. There’s a catch though – you’ll read more in the last paragraph.
Imagine yourself running late for a plane on a busy Monday morning. Keys – check, suitcase – check, passport and tickets – check. To make matters worse, slightly upset by the grumpy taxi driver and length of the bag drop queue at the terminal, you find yourself staring at the red battery symbol on the dimmed smartphone screen.
Luckily, you come across one of those mobile charging stations and minutes later you’re all set for boarding.
Beware, as you might have just taken an unwanted passenger on-board with you!
Unfortunately, using USB sockets that you don’t trust creates a huge security risk and deciding which ones you should trust is a non-trivial job to say the least! There are types of attacks that can be carried out the moment you plug the smartphone in the socket without Android/iOS even noticing.
They work in a variety of ways. Some of them interact directly with the operating system, for example during the enumeration of USB devices when the system boots up. Another type of attack abuses the DFU (Device Firmware Update) feature of the USB protocol that lets another device update the firmware of the USB device. Yet another one creates a partition in Flash memory of the USB chip to exfiltrate sensitive data flowing through the port later. If the above reasons were not enough, there is always a possibility of using the smartphone as a transient host for malware destined for other platforms, stealing data from inside the corporate network as soon as the infected device is plugged into a PC.
Three main risks of these attacks are:
- data theft from the smartphone,
- compromise of the internal company network,
- unwanted device tracking.
While the risk of data theft is definitely the most pronounced and impactful, point number two, infiltration of internal network, follows closely. One study at a “large university campus” shows that users pick up and connect an estimated 45%-98% of the USB pen-drives the researchers dropped. Admittedly, this article is about USB drives, but for all intents and purposes, a smartphone that has once been plugged into an untrusted USB port might as well be treated as a USB “trojan horse” that could open a back door to your company’s network.
We won’t go into any details of how it can be carried out, but if you’re interested, take a look at the list of 29 types of USB attacks.
The easiest thing to do to save you most of the headaches related to that if you ever run into such a situation is to use a charge-only usb cable. They are available from major retailers and are dirt cheap.
There is one caveat though – fast charging will most likely not work when a cable without data lines (D+ and D- in the USB 2.0 pinout) is used. This is due to the fact that in order to make use of the fast charging mechanism, the smartphone has to be able to communicate with the charger’s firmware. Some cable manufacturers claim that they sell products, like this one from PortaPow, that can preserve fast charging by being “hardwired with the Fast-Charge USB signal”, at the same time only saying that “this will most likely solve the problem”. We have not tested any of them though. If you have, share your experience in a comment!
Losing fast charging capability may seem like throwing the baby out with the bathwater these days, but losing data or having them stolen is likely to cost much more than the time you spend waiting.