The Rippleshot Data Breach Blog

Cellphone Charging Stations: The Next Avenue In Data Theft?

Written by Zach Walker | Aug 20, 2015 3:30:00 PM

One of the latest trends in the security industry is experiencing resurgence, involves a device that nearly everyone with a smartphone has used at least once in the last twelve months. They’re in nearly every airport, your favorite restaurant or bar, conferences; it’s nearly impossible to miss the charging stations that keep our lifelines to the world charged. These charging stations are manufactured and distributed across the country by a variety of a vendors, however there is a serious security threat that dates back as a far as 2013.

Nearly two years ago during the Black Hat security conference in Las Vegas, a research scientist at Georgia Institute of Technology, Billy Lau, told conference attendees that it was possible for a strain of malicious code to be installed onto a smartphone via a small cable. At the time, there had been no documented evidence that this attack method had been carried out. Not even a week later at another security-focused conference, Def Con, conference attendees used a seemingly harmless charging station to power-up their smartphones. 

Security researchers at Aries Security built a charging station at DefCon to highlight the potential dangers of connecting one’s device to an unknown power or data source. When conference attendees were not using the charging station, a message was displayed on a LCD screen installed on indicating that attendees could charge their smartphones free of charge. Once a smartphone was plugged in, said screen switched to a red warning sign with the following message:

 

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
Security experts showed how a hacker could compromise the sensitive data on a cellphone in four steps. When looking at the security of an iPhone, a “Mactan,” a small computer that can be installed to disrupt Apple’s safeguards. Once installed in the charging station, a virus can be installed within a minute. Once the upload is completed, any personal information including notes, photographs or emails can be transmitted or stored on another device to be collected at a later date. After the security exploit was brought to the attention of Apple, the company told Reuters that this particular exploit was fixed in their iOS 7 update.

Two years later, whispers amongst the security industry are getting louder and louder about a “new” attack method cybercriminals are using to steal sensitive data from unsuspecting targets. At the 2015 Retail Reinvention Summit, a fraud management panel of industry experts discussed how fraudsters are reinventing ways to steal sensitive data. During the panel, Rippleshot CEO Canh Tran, noted that that security experts within some of the major payment card issuers are seeing resurgence in the charging station hacks. Once a smartphone is plugged into a tampered charging station, the phone’s Universal Device ID (UDID) can be accessed and extracted. 

Once the UDID has been accessed, the attack can work around the phone’s safeguards to install malicious apps or extract sensitive data. When tested on an iPhone, it is possible to trick the phone by claiming the device as a test subject with a confirmed Apple developer ID. Neither the user or the phone can deny the request as Apple does not ask for permission in this situation and the targeted user would not be able to tell the hack is occurring from a visual standpoint. The true danger of this attack method is directly related to how unsecure these charging stations are and the ease of which how they can be tampered with. Affected users will then receive a ransom message demanding payment, often in Bitcoin, or the contents of the phone will be shared on the interent or deleted.

Just like gas station pumps across the country, these mobile charging stations are often left unattended allowing anyone posing as a maintenance person to gain unauthorized access to these machines. And the majority of these charging stations are designed to prevent access to other devices that may be plugged in potentially collecting or transmitting the stolen data. It's safe to say that until these security issues have been addressed, to avoid public charging stations even if they require payment to use. There are mobile chargers that can be purchased both in-store and online that will decrease the risk of being compromised.

Be sure to visit out knowledge center for the latest Rippleshot white papers, infographics, research and case studies.