Careful What You Plug Your Phone Into

I’ve often said that I would enjoy putting several phone charging stations in an airport or mall that would exploit whatever phone was plugged into them. As it turns out, I’m not the only one with such demented ideas:

This news couldn’t wait for the Black Hat conference happening now in Las Vegas. We reported in June that Georgia Tech researchers had created a charging station that could pwn any iOS device. The full presentation revealed precise details on how they managed it. I’m never plugging my iPhone charger into a USB port in a hotel desk again.

This is a potential vulnerability with any device that is capable of receiving data over it’s power input. Most smartphone, and many dumb phones for that matter, use a Universal Serial Bus (USB) to transfer data and charge the battery. Manufacturers of assume the USB port, being a port that requires physical access, is secure and doesn’t need much in the way of verification of validation (although this attitude is slowly changing) making the transfer of malicious software relatively easy. Just because a port requires physical access doesn’t mean one can’t do away with security measures. It’s trivial to convince most people to plug their phone into a random USB port (just claim that they’re plugging it into a phone charger).

Social engineering, the art of tricking somebody to do something for you, is probably the most effective security bypassing mechanism. You may not have access to a machine you want to exploit but chances are you can convince somebody who does have access to grant you access. For example, gaining access to a phone is often as easy as asking the person with the phone if you can make a phone call. If you make an effective story that appeals to the owner’s emotions chances are high that they’ll hand you the device.

One of the most entertaining rooms at Defcon this year was the Social Engineering Village. Inside they had a phone booth where competitors would call various businesses and try to use social engineering to pump important information out of employees. The tactic worked frighteningly well. During one of the times I popped in the competitor had a man on the phone spilling his guts about the entire network setup for his company. Trickery works.