Tuesday, August 12, 2014

Want Safe Juice? Better Wear a USB Condom!

Waiting for your flight, your smart phone’s battery is about to die. Or perhaps at a hotel conference or shopping mall. You don’t have your power cable needed to charge your tablet or phone, but you do have a USB cord that can supply the needed power. Then you spot an help: a free charging kiosk.

Didn't think before connecting your phone to this unknown device -- which could be configured to read most of the data on your phone, and perhaps even upload malware? Better consider a USB Condom!


At the 2014 DefCon (a hacker's convention), over 350 attendees (who should be "in the know" about this) plugged their smart phones into a charging kiosk built by Brian Markus, president of Aires Security, and fellow researchers Joseph Mlodzianowski and Robert Rowley. They built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. To make their charging station more attractive to passersby, Markus and his pals equipped it with a variety of charging cables to fit the most popular wireless devices. When no device was connected, the LCD screen fitted into the charging station displayed a blue image with the words “Free Cell Phone Charging Kiosk.” The screen switched to a red warning sign when users plugged in any devices. The warning message read:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
Markus said the comments from those who chose to juice up their phones at the kiosk were the most rewarding part of the project. But that's not all: Anything using USB is totally unsafe. A bold warning from Security Research Labs, given at Black Hat, another hacker con. Basically, any USB device can do anything it wants to your PC or Mac, and there's nothing you can do to stop it, detect it, or remediate it.

The security problems with USB devices isn’t just in what they carry, it is built into the core of how they work. That’s the takeaway from findings of security researchers Karsten Nohl and Jakob Lell. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. ... And the two researchers say there’s no easy fix. ... They spent months reverse engineering the firmware that runs the basic communication functions of USB devices. Read more at Slate...


No comments:

Post a Comment