The Author is motivated to write this Advisory after having been enlightened while on a road trip along National Highway 1A in India, after a co-passenger on the public transport bus complained of losing money from the e-wallet installed on the Smartphone, which was used on a charging hub provided at the restaurant, and which the victim had used to electric-charge the phone. The Author does not intend to provide an exhaustive report of the incident, but would like to advice our readers to refrain from ‘electric charging’ the Smartphone from a Public USB Charging Port or Hub.
The USB charging port provided on our smart phone is not a mere interface for charging the internal battery, but is also the vital interface to access the Internal Memory, the External Memory card (SD Card), Re-installation of Operating System or other Software, Transfer Files across it, for installation of Software Application, last but not the least to alter permissions and alter security settings, among others.
- Firstly; let us understand the anatomy and the nuances of the USB: the USB is the abbreviation for “Universal Serial Bus”, this then provides for the inherent functionalities for which it has been designed. The word “bus” comes from “omnibus“, meaning all. A bus in a computer system is something that connects to all of a set of devices. The word “Serial” is a form of connection that does not entail any external computable connector and the fact that the controller is available inherently to accept the interface and there is no requirement for a software driver for each type of connection. The word “Universal” in USB, is more a literary sense, yet I would like to define this word from a ‘Devils Perspective’ as “one for all and all for one“. The ‘Devils Perspective’ is primarily for the fact that, this USB is beyond the digital control of the beholder. The USB can perform a “Write To” on its own concurrently, when the user is explicitly executing “Read From”. Similarly, USB can perform a “Read From” on its own concurrently, when the user is explicitly executing “Write To”. Both these executions can be done even without the user interface. And it is executed by means of the ‘autorun’ codes present in the controller or the intelligent devices that is being connected, among them. Now talking about the USB standards or versions; we see a large number of classifications based on the transfer speed and capacity. There are several major USB standards, USB4 being the newest: USB 3.0 (also known as SuperSpeed USB) has a maximum bandwidth rate of 5 GBPS (gigabits per second), that translates to 640 MBPS (megabytes per second)—ten times faster than USB 2.0. USB 4; Based on the Thunderbolt 3 specification supports upto 40 GBPS (40,960 MBPS).
- Secondly, let us understand the concept of “Juice Jacking”. Juice jacking is a type of cyber attack involving a charging port that doubles as a data connection, typically over USB. This often involves either installing malware on the target or surreptitiously copying sensitive data from a smart phone, tablet, or other computer device. This means is also used to carry out Fiscal fraud.
USB was designed to transfer both power and data and security researchers as well as cybercriminals have learned how to use USB connections to deliver malicious payloads to users who thought they were merely charging their devices. The ability of the USB, which the victim is assuming to be a changing interface, makes a connection to the USB Charging port or the hub. In a noted case, it was seen that the USB charging connector was at the back end connected to the USB port of a Desktop/Laptop, which then becomes the workstation not just for transfer of electric power but as a gateway for surreptitious malicious act. In short the USB is exploited to serve as an access provider to the victims Smartphone.
In the instant case, it was found that the perpetrator had also installed the “Teamviewer” App, which was then paired to the attackers Smartphone/Computer.
The Advisory: -Never connect the USB Charging interface provided at a public place. -Remember to carry your Power Adaptor. -Resort to carrying a Powerbank while on tour or long travel. -Once the need arises to connect the USB to your Laptop/Desktop for transfer of data or files, remember to ‘turn off’ the default connection as file transfer interface. -To avoid being a victim of “juice jacking” attack on your smart phone, it is recommended that the OS and Security Patches be updated on regular basis. -It is also advised to install n Access Control Application along with a Paid and Authentic Antivirus on the Smartphone. -Use of Fake USB Cables can also be a cause of being compromised. –Use encryption on Phones.