How can a public USB charging station be manipulated by criminals to put a virus on my phone?


How can a public USB charging station be manipulated by criminals to put a virus on my phone?

In: 370

The cable in reality should only be connected to a power source for charging. Phone is plugged in, it charges. But imagine someone tampers with it and connects the other end to a hidden computer. Now you’re plugging your phone into a malicious computer. Possibilities are endless. There’s also tools like the zomg cable that don’t need to be connected to a computer at all. The cable itself is malicious as there’s a small computer chip in it.

The USB identifies itself to your phone as a keyboard and issues commands to the phone like a keyboard would to download the virus and install itself.

The U in USB means Universal because you can have nearly any connection or device use USB. That means in order for your PC to communicate with the USB device it needs to identify what it does(storage, sound output etc) and might need to install special drivers for that. If you plug in a USB mouse in a windows PC it will download and install a generic mouse(HID human input device) driver that can deal with what the USB is sending and translate it to mouse movements. These drivers are from certified windows servers and tested for malware, so its kot likeley to get malware that way, but not impossible ether.

So USB does a lot of magic in the background, but gettig malware from that is still super hard and more a state founded hacker level and not something a random kid in a basement is going to develop. But i guess you ask this because some US secret service released a warning?

if you cannot see where the port is connected to there is a myriad of possibilites of what can be done.

– maybe the port is actually connected to a malicious computer system that could implant its own code thru the data link or copy data from your device.

– maybe the port is setup in a way to fry the device its plugged to or at least kill the devices’s USB port.

– maybe the cable itself was modified to do its work and potentally do any of the above.

– maybe either of the above situation have the port or the cable falsely identify themselves to your phone as an input device ot inject malicious commands.

USB cables can do two things:

1) Send power.
2) Send data.

The way your computer knows if you’ve plugged a mouse, a keyboard, a drive, etc. into it is (2). When you plug a device into a USB port, it tries to send a standard, “What kind of device are you?” message over the data lines. Normal, not-malicious devices respond with information like, “I’m a mouse!” and your computer uses that information to figure out how to further communicate with it.

Even devices that only want to charge over USB sometimes use the data lines because they might support fast charging or other things that draw more power than a “normal” device. So they respond to, “What kind of device are you?” with “I’m not really looking for a relationship, I just want to charge with this many volts.” etc.

The part of the USB charging station that may work with the data lines is called “the controller”. A malicious person will make a controller that does not follow the standards USB devices are supposed to follow. It may start with, “What kind of device are you?” just to see if it gets an answer back like, “Oh hi, I’m a Windows laptop, just looking for a charge.”

That’s when the controller starts to do bad things. *Which* bad things are hard to describe. But imagine if you tried to call Pizza Hut to order a pizza, the person answered the phone, you said you wanted to order a pizza, then they screamed into the phone for three solid minutes. Would you expect that? How would you react? It’s hard to say because it’s so weird it’d probably knock you off your game.

That’s how “attacks” on software work. Attackers try to figure out a way to send a message to programs that the programs do not expect. If the programs do not expect it, the programmers may not have written code that handles it very well. If they handle it badly in very specific ways, it can leave the program open to attack. One super common way things go wrong is a “buffer overflow”. That means that the laptop may only expect to get a message that’s up to 128 bytes long, but the malicious controller sends one that’s 2048 bytes long. If the program handles this badly, it’ll try to store all 2048 bytes and the extra bytes might overwrite other bits of memory. Then the attacker may know a complicated dance that allows it to trick the laptop into treating the “extra” memory they wrote as code to execute. That code will usually do something *else* the laptop doesn’t expect that tricks it into running *other* code, and eventually after jumping through a lot of hoops the laptop has been tricked into installing and running malware without the user’s permission.

That’s why there are devices known as “data blockers”. They’re little USB adapters that don’t even have the data lines. So if you plug them into a public charger, when the malicious controller asks “What are you?” that never makes it to your device because there’s no connection. In that case, most USB controllers think, “Huh, no response. This must just be a “stupid” device that only charges and doesn’t communicate.” On the downside, that can mean certain fast charging protocols won’t work because your device can’t say, “I’m a phone that wants to charge using up to 60W.”

So that’s why the recommendation is to bring your own chargers and plug into an electrical outlet. Normal electrical outlets and chargers are single-purpose, so even if your charger does use the data lines it was made by a company you trust and isn’t talking to any malicious controllers.