Charge Your Cell Phone, Get Malware?


« Firefox 6 Released. Does it Matter? | Main | Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report »

08/22/2011



Charge Your Cell Phone, Get Malware?

Kevin R. Smith
Co-Editor



3

Most of us have been in an airport or other similar public place and seen the free charging kiosks.

And, I'll venture to bet that most of us have used 'em, too.

Looks like the bad guys aren't running out of ideas on ways to get at you and your data, and now it looks like the free ride at the charging kiosk is over since the bad guys can start moving in there, too.

That's what Brian Markus (president of Aires Security) and his colleagues (researchers Joseph Mlodzianowski and Robert Rowley) showed when they built a charging kiosk at the 2011 DefCon hackers convention in Las Vegas.

As crazy as it sounds, charging your smart phone at a free charging kiosk can leave it exposed to data theft or even malware installation.

Brian Krebs always fantastic security blog, Krebs on Security, has a piece called Beware of Juice Jacking that goes into detail about how even some phones with settings to disable USB transfer don't do so reliably enough to be trusted.

'One attendee claimed his phone had USB transfer off and he would be fine. When he plugged in, it instantly went into USB transfer mode,' Markus recalls. 'He then sheepishly said, `Guess that setting doesn’t work.`'

Given that we haven't had any opportunities to test smart phone antivirus software against these types of threats, we can't say if the current batch of antivirus software for phones would be enough to prevent these types of attacks. Given what we've seen from VIPRE Mobile (the version of VIPRE Antivirus for Android Mobile phones), we expect it would.

Regardless, it's clearly safest to avoid these kiosks for charging your phone, and as the piece says,

If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.

'One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,' Markus said.

Posted by Kevin R. Smith at 02:29:44 PM in smartphone malware , Social Engeering

Comments

You can follow this conversation by subscribing to the comment feed for this post.

I live in Franklin, Tn, a very wealthy place. I went through 3 LG Ally phones in 10 days from plugging my phone into a wall socket at a hotel. The first one destroyed the phone and the phone charger. Bought a new charger from walmart and two other phones destroyed. The virus comes in via the use port on a carrier signal from ac. Old military hack. Your phone screen, all data, contacts and personal info is transferred and phone is left a shell.know I have a druid 2 Global. Only attacks when plugged into wall. I set up the swipe lock and so far it is the only protection. Every android is vulnerable to this juice jack as you call it. There has to be a way to immunize the use on a phone just like you do zip drives. The firewall app with the block blacklist rule and Zdoubletwist to turn off the use port and Voice Notify with the all applications access unchecked in setting, these 3 applications with these settings seem to minimize the hijack but not totally stop it. System/framework/monkey,jar has shown up on my phone it seems to be like the old DOS monkey boot virus and when the use is plugged into the ac outlet sends a signal and within about one minute the phone takes on a life of its own. Nobody believed me until I took my phones into Verizon, plugged them into the wall socket and the screen freezes for external interface but you can see somebody else clicking on data and so forth. It makes me wonder with all the phones and wealth what all has been transferred to korea and china already. I used an os monitor app and discovered all sorts of things going on. Whichever antivirus company can protect my usbfrom such hacking, I will gladly pay a subscription to. The threat is real and ironically nobody is talking about it. LG Ally and Droid 2 Global are vulnerable but at least with the Droid 2 G I can take back over my phone. All androids and tablets using use plugged into an ac outlet are vulnerable to and most likely already compromised if you plugged them into an outlet in Williamson County Tennessee. I can only imagine other wealthy areas how easily they are to hack. How do you think computers on a power grid get hacked and shutdown the grid? Now you know.

Posted by: D | 10/03/2011 at 07:26 PM

This happened to me, too. I bought my charger at the Walmart in hendersonville, tn . At first I thought I was crazy, but thanks to seeing your post I knew I wasn't!! I noticed before it destroyed my phone, I will be returning that immediately.

Posted by: ashley | 04/17/2012 at 09:00 PM

Wow... Very sorry to hear about your incident, Ashley.

It's one of those things a lot of people really just take for granted, but as you're well aware now, it happens to real people.

And, it's not just some ,"Oh, c'mon... that's impossible!" scenario dreamed up someplace. It happens.

Posted by: Kevin Smith | 04/17/2012 at 10:08 PM

The comments to this entry are closed.