August 17, 2011

You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

A DefCon attendee using the charging kiosk.

The answer, for most folks, is probably not. The few people I’ve asked while researching this story said they use these charging kiosks all the time (usually while on travel), but then said they’d think twice next time after I mentioned the possible security ramifications of doing so. Everyone I asked was a security professional.

Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations.

But some people will brave nearly any risk to power up their mobiles. In the three and a half days of this year’s DefCon, at least 360 attendees plugged their smartphones into the charging kiosk built by the same guys who run the infamous Wall of Sheep, a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks.

Brian Markus, president of Aires Security, said he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. Markus explains the motivation behind the experiment:

“We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,” Markus said. “Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

To make their charging station more attractive to passersby, Markus and his pals equipped it with a variety of charging cables to fit the most popular wireless devices. When no device was connected, the LCD screen fitted into the charging station displayed a blue image with the words “Free Cell Phone Charging Kiosk.” The screen switched to a red warning sign when users plugged in any devices. The warning message read:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

Markus said the comments from those who chose to juice up their phones at the kiosk were the most rewarding part of the project.

“One guy that clearly seemed stressed and in a hurry to get his phone topped off said, ‘I don’t care, take my data, I need my phone charged to make a phone call!'” Others said they planned to wipe their phones after leaving the hacker conference anyway.

“One attendee claimed his phone had USB transfer off and he would be fine.  When he plugged in, it instantly went into USB transfer mode,” Markus recalls.  “He then sheepishly said,  ‘Guess that setting doesn’t work.'”

Another DefCon attendee remarked, “This freaked my boss out so much he sent an email across the entire company stating employees are now required to bring power cables and/or extra batteries on travel, and no longer allowed to use charging kiosks for smart devices in open public areas.”

Inside the charging kiosk.

The safest route for charging your device on-the-go is to use the supplied power cord that plugs into a regular electrical outlet (assuming you can find an available outlet). Battery-powered mobile charging devices also work well in a pinch and are available at many airports. If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.

“One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,” Markus said.

53 thoughts on “Beware of Juice-Jacking

  1. Anon

    Mr. Krebs your article needs to be more specific. Which smartphones are vulnerable to charging kiosks? Android? iPhones? All?

    1. Brian Krebs

      Don’t know which ones. I can tell you that the iPhone appears to be. But I don’t have a range of cell phones to try this with.

      You can find out if your phone may be vulnerable. Plug it in to a USB charger and see what comes up on the computer. If it prompts you to view the files without any kind of password, then chance are that device would be vulnerable.

      If you do such research, maybe post your findings as a comment here? Thanks.

      1. Anon

        Thanks for your reply.

        My smartphone runs Android 2.1 and when I connect it to my computer a screen comes up on my phone asking me whether I want to charge the phone or transfer files. If I simply choose to charge the phone, the phone doesn’t show up in My Computer and therefore you can’t view or modify its data. I’d guess that most Android phones would exhibit similar behaviour. You have to mount the phone (sdcard) in order to read or write.

        However your article had me thinking that it is possible to somehow read data simply by charging the phone, as if the phone would expose information even if it is simply charging. Perhaps it is not the case then.



  3. David Bradley

    “The safest route for charging your device on-the-go is to use the supplied power cord that plugs into a regular electrical outlet”

    How could you be sure it wasn’t running a powerline network?

  4. maddogg

    How smart would your phone be after that kiosk supplies 120VAC to it? 🙂

  5. Teri

    This makes me glad I have two auxiliary chargers that have USB attachments. I can charge them on a kiosk w/o putting my data at risk.

  6. First_Switch_Off_the_Device

    Before I charge my HTC smartphone, I switch off the device. Plugging it into any computer USB socket, I do not see any data transfer at all.

    Honestly, I don’t see how a dead phone can transfer data. Are these security and other IT professionals unable to switch off their phones before charging them?

  7. HongwenZhangWedge

    Thank you for sharing these findings! It’s interesting to hear how even with prior warning, people are still vulnerable to the glamour of free battery life. Had the charging stations not taken the proper security precautions, these users could have risked exposing private corporate data. Not only should corporations educate their employees, but they need to block malicious attacks before mobile malware enters its system through infected devices. Corporations must ensure network layer Data Leakage Prevention (DLP) to prevent the outflow of user/corporate data. Our company Wedge Networks has been working towards solutions such as these for years, to prevent the good things from flowing out and the bad things from coming in.

Comments are closed.