August 17, 2011

You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

A DefCon attendee using the charging kiosk.

The answer, for most folks, is probably not. The few people I’ve asked while researching this story said they use these charging kiosks all the time (usually while on travel), but then said they’d think twice next time after I mentioned the possible security ramifications of doing so. Everyone I asked was a security professional.

Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations.

But some people will brave nearly any risk to power up their mobiles. In the three and a half days of this year’s DefCon, at least 360 attendees plugged their smartphones into the charging kiosk built by the same guys who run the infamous Wall of Sheep, a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks.

Brian Markus, president of Aires Security, said he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. Markus explains the motivation behind the experiment:

“We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,” Markus said. “Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

To make their charging station more attractive to passersby, Markus and his pals equipped it with a variety of charging cables to fit the most popular wireless devices. When no device was connected, the LCD screen fitted into the charging station displayed a blue image with the words “Free Cell Phone Charging Kiosk.” The screen switched to a red warning sign when users plugged in any devices. The warning message read:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

Markus said the comments from those who chose to juice up their phones at the kiosk were the most rewarding part of the project.

“One guy that clearly seemed stressed and in a hurry to get his phone topped off said, ‘I don’t care, take my data, I need my phone charged to make a phone call!'” Others said they planned to wipe their phones after leaving the hacker conference anyway.

“One attendee claimed his phone had USB transfer off and he would be fine.  When he plugged in, it instantly went into USB transfer mode,” Markus recalls.  “He then sheepishly said,  ‘Guess that setting doesn’t work.'”

Another DefCon attendee remarked, “This freaked my boss out so much he sent an email across the entire company stating employees are now required to bring power cables and/or extra batteries on travel, and no longer allowed to use charging kiosks for smart devices in open public areas.”

Inside the charging kiosk.

The safest route for charging your device on-the-go is to use the supplied power cord that plugs into a regular electrical outlet (assuming you can find an available outlet). Battery-powered mobile charging devices also work well in a pinch and are available at many airports. If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.

“One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,” Markus said.


53 thoughts on “Beware of Juice-Jacking

  1. BSR

    I believe there are charge-only cables for some devices (I have a couple at home that connect to ipods/iphones. I think they only have the power wires hooked up inside and not the data ones.

    Possibly if you have one of these it would be safe to connect to a public kiosk?

    1. Dave

      >I believe there are charge-only cables for some devices
      >(I have a couple at home that connect to ipods/iphones.
      >I think they only have the power wires hooked up inside
      >and not the data ones.

      Unfortunately some phones won’t charge from data-only cables. For example (some) Sony-Ericsson phones require a data connection so the phone can check that you’re using a Sony-Ericsson charger and not a third-party one at a fraction of the price. Same with using a computer data cable, unless you have the Sony-Ericsson software loaded on the computer, the phone won’t charge.

      (They introduced this “feature” in about 2008, not sure how widespread it is among models).

      1. Jane

        Thanks for the warning! I never would have thought of that, and I’m afraid it will be difficult to find out before taking the phone home.

    1. Alex

      I looked into getting a solar charger a while back. Based on the reviews I saw, none of them seemed that great – even the best one would require hours and hours to even partially charge your phone (and of course it would also require a lot of light, which could be hard to find while you’re traveling).

  2. Alex

    As long as you use your phone’s AC adapter and charge the phone from that, it is perfectly OK to use any kiosk or electrical plug.

    I know this is obvious to geeks, but it may not be obvious at all to less technically-savvy folks who will now be running around yelling “OMFG HAXORS NEVER PLUG IN YOUR PHONE ANYWHERE!!!!”.

    1. Matt

      Maybe it’s worth data neutering a USB cable? Or maybe make a data neuterer stub adapter and sell them on a keychain? 🙂

  3. Robert Rowley

    The best advice is always the easiest solution: Don’t forget your charge cable! Bring 2-3 of them!

    Secondary to that and I’m glad to have read it here: Turn your phone off before plugging it in to strange chargers.

    Remember that iphones/smartphones use the data pin to get more voltage and charge faster, so neutering your cable (another option) will result in slower charge times. Also, if you’re smart enough to remember to bring your neutered cable (or adapter) you should be smart enough to bring your own charger!

  4. Steve

    If I power off my phone then plug it in, it will power up…

    I always take my own charging solutions when I travel, this is one more reason why that is your best suggestion.

  5. Sling Trebuchet

    The nice thing about devices with user-replaceable batteries is that you can use a spare one as a battery-charger – One that feeds insults, ridicule, shit and/or misdirection to whoever might be poking.

  6. brucerealtor

    With my Blackberry Storm, I always just use to carry a backup battery in the belt case, BUT when I upgraded to my Samsung Droid Charge, it was suggested that the Charge was easier on the battery than a number of other Droid devices and that getting thru the day was do-able. —- I even bought the Verizon clip-on belt carrier for the Charge, which is great BUT it won’t work IF you use the now available LARGER [thicker] battery. And there’s no place to carry the backup battery in the plastic slide-in belt carrying case.

    The Charge does have a power station available where both the Charge and a standard backup battery will charge simultaneously, but then you need to use a generic phone case that will hold the backup battery — unless you have briefcase or purse to put it in. After all, who wants to[or has time to] sit at either a charging station or wall outlet during a busy & hectic workday?

    BE PREPARED and charge all your batteries after work and if traveling take the charging station that will charge the backup and phone simultaneously with you for use at the hotel, etc.

  7. rgb

    The pin layout of a usb plug is as follows:

    1 VBUS Red +5 V
    2 D− White Data −
    3 D+ Green Data +
    4 GND Black Ground

    so all you need is a cable with the pins in the middle not connected. Voila safe charging. Or you could isolate these pins by covering them with some sort of insulating material like scotch-tape.

    1. martin

      Correct me if I am wrong but wouldn’t shorting the data pins be better? IIRC, doing so makes the USB-delivered power higher without exposing the data pins to the bad guys.

      1. Gerard

        @martin

        U cant just short those pins because the USB controller is not designed to handle power on those lines. The voltage line goes to a voltage regulator then to charge battery, this is why when you plug your phone into the wall and it gets 12 V on those lines everything doesn’t blow up.

        1. martin

          @Gerard

          I looked up the USB on wikipedia and got:

          In Battery Charging Specification,[38] new powering modes are added to the USB specification. A host or hub Charging Downstream Port can supply a maximum of 1.5 A when communicating at low-bandwidth or full-bandwidth, a maximum of 900 mA when communicating at high-bandwidth, and as much current as the connector will safely handle when no communication is taking place; USB 2.0 standard-A connectors are rated at 1.5 A by default. A Dedicated Charging Port can supply a maximum of 1.8 A of current at 5.25 V. A portable device can draw up to 1.8 A from a Dedicated Charging Port. The Dedicated Charging Port shorts the D+ and D- pins with a resistance of at most 200 Ω. The short disables data transfer, but allows devices to detect the Dedicated Charging Port and allows very simple, high current chargers to be manufactured. The increased current (faster, 9 W charging) will occur once both the host/hub and devices support the new charging specification.

          Is this wrong? Or is it dangerous to apply this to charging a phone? Also, isn’t USB a 5V standard? I don’t understand where the 12V is coming from. Can you explain?

          Thanks.

          1. Gerard

            @Martin

            I re-read my comment and noticed it was a little vague.

            I also read the USB 2.0 specification document to get you a better answer.

            USB 2.0 became data short tolerant. Meaning when USB 2.0 first came out the specification sheet explicitly stated not to short D+/D- to Vbus or GND. The spec was latter changed asking USB hardware designers to make their devices “Short Tolerant” for at least 24 hours but preferably for a much longer period of time.

            Looking at the USB 2.0 spec sheet the hardware connection does not make sense to short the data lines to each other or Vbus/Gnd because the data lines are directly connected to a transceiver on the receive side (Im talking about the side of your cell phone).

            Due to USB 2.0 short tolerance you probably wont destroy your data transceivers if you short anything.

            In order for this idea to work One data line should be shorted to Vbus, the other Data line shorted to GND. (You should always have a path to ground that matches the at least the amount of lines you have of power). Then the device like your cell phone would need an internal switch disconnecting both data lines from their transceiver connecting one to Vbus and the other to GND. This would safely allow larger amounts of current to flow. But devices are not designed this way.

            The way USB 2.0 works is when you are not communicating via the data lines it allows the Vbus line to draw more current and charge your device faster since it is not operating(powering) the data lines.

            The 12V came from when you use things like a cigarette lighter to charge your phone, that is a 12V outlet but there is a voltage regulator stepping down that voltage to 5V.

            I seen someone on this thread mention about a neutered cable with disconnected data lines. That would work just fine, from a hardware perspective.

    2. prairie_sailor

      I would avoid using scotch tape. That trick was by the instructors in the NAVY radar systems course I attended, however it sometimes caused unpredictable problems such as the tape peeling back and not allowing the circuit card to seat properly causing other faults, or when the instructors removed the tape the residue left behind would not allow proper contact which kept the fault in place. In the case of doing that to a USB cable I can see the tape peeling back or exposing a part of a contact causing data transfer to be allowed when it shouln’t be.

  8. fdfhgfh

    And then you dont tell us what these devices were that are safe when powered off? Thanks a bunch.

  9. JackRussell

    With my Android phone, when I plug the thing into my laptop for any reason, the phone prompts me before allowing data access. I guess I am a little surprised that all smartphones aren’t like this.

  10. Allan

    Let’s stop referring to these liability magnets as “smart” phones.

  11. brucerealtor

    Guess my comment was too long to get moderated.

    Restating it much more concisely, know your cell phone’s power drain and prepare accordingly with either extra batteries or your wall/car charger before leaving home or office.

    NO EXCEPTIONS.

  12. Steve Crowley

    This is a great story that confuses by not distinguishing between public charging stations that are for AC adapters only and those relatively few with USB adapters.

    1. BrianKrebs Post author

      Thanks, Steve, but it’s not clear how you could say it’s confusing the subject. I start and end the story with clarifications that this is about USB cord use, and that the (a) solution is to only use a regular power cord, not a USB charger.

  13. RasterPix

    I am with rgb on this one. By the time I finished reading the article, I was already thinking of making an ‘extension’ cable that drop the data lines and only pass through the power.

    Thanks for the article. It certainly gives me something to consider.

  14. sockatume

    The article gives me the impression that smartphones make it obvious when some sort of data transfer is going on, displaying a prompt, going into “transfer mode”, dismounting the memory card etc. Are there any exceptions?

    Has this ever been seen in the wild?

  15. Spencer Parkinson

    Very interesting experiment and a great read, Brian! Thankfully, in this case the end result was positive (user education). I liked the reference to the boss who made it a requirement for employees to take their own power sources with them while traveling. That’s a good best practice that more organizations should probably consider implementing. That said, I think it would be great if more companies simply started communicating any best practices regarding mobile security. A recent survey done by my company, Symantec, found that barely half (51%) of the business smartphone users surveyed had been informed of mobile security policies and/or best practices by their employer.

    Spencer Parkinson
    Symantec

  16. MB

    Guys, listen… In order to download data from your phone, the device needs to know how to send it across, ergo the software needs to allow data transfer. Surely good software design and a properly configured can prevent this stuff from happening. No reasonable exploit has been shown. I think this article is just unnecessarily scaring people.

    1. BrianKrebs Post author

      @MB – Do you have an iPhone? Plug it in to a random Windows computer using a USB cord. See what happens for yourself. This is not a theoretical threat.

      1. required name

        This is not a theoretical threat for iphones
        For decent smartphones this is a theoretical threat.
        Smartphone != iphone, believe it or not

  17. Bob

    In my laptop case, I carry the AC adapter for the laptop, my iPad charger with cable, a USB cable for my daughters Android Evo which can plug into my iPad charger. My car has 12 volt chargers for both her Evo and my iPhone. Haven’t needed to emergency charge the iPad as of yet, with it’s long battery life.

  18. Eric

    +1 at RGB, just cut the green and white, no shorting or anything, just disconnect those wires.

    I’ve done this actually. I cut the cable in half, stripped about half an inch on both sides, soldered the red and the black back together (leaving green and white disconnected), electrical taped the red and black individually, then electrical taped the rest. Charges fine, no data

  19. xAdmin

    Um, I’m not going to plug my high end smartphone into anything but my own approved charger! If just for the sake of not damaging the charging circuitry, forget about data transfer. It’s all too common that people choose convenience over anything else! 🙁

  20. maryt

    I usually always have my USB/DC adapter charger for my Android phone with my when I travel, but I also carry a USB/AC adapter piece as well that has come in quite handy several times.

  21. Yar

    The easiest solution is just to plan ahead. Take your own power cable. Done.

  22. Rakesh varma Sayyaparaju

    Use USB to cable power converter to avoid data transfers 🙂

  23. timeless

    fwiw, some devices share their data volumes while “powered off” as a convenience/feature.

    the best thing to do is to try plugging your devices into a trusted, running, internet connected Windows 7 computer once with the device on and once with it off and see what shows in Explorer and what appears on your device. Also consider whether an onscreen device prompt can be accidentally dismissed in a way which enables data access.

  24. MUSHTAQ

    HI
    THIS IS VERY GOOD IDEA AND SERVICE TO HELP THE PEOPLE WHO ARE IN NEED IN URGENCY.

  25. Pintu

    Hi All,
    As discussed about d charging at kiosk with d usb cable. It is possible to insert malware and data of a person can be manipulated. So better to do this with your own power charger rather than USB Charger.

  26. Richard M Stallman

    If the software in the phone were free/libre, the users would have
    control over it, and could make sure this attack is blocked. People
    who want to enable USB transfer most of the time could add a feature
    to warn them each time, or whatever they like. And they could make
    sure all these feature really do what their supposed to do.

    Sheep will always be vulnerable, but free software helps prevent the
    other part of the vulnerability.

  27. PAPPADAA

    What is the criterion that a completely powered off device is
    ” less likely to upload its data, when pulling in next charge?

Comments are closed.