In a recent security alert, the Los Angeles District Attorney has warned travelers to avoid charging their smartphones and other devices using public USB power charging stations as they may contain dangerous malware.
USB was designed to transfer both power and data and security researchers as well as cybercriminals have learned how to use USB connections to deliver malicious payloads to users who thought they were merely charging their devices.
Over the past few years, several proofs of concepts were created with the most notorious being Mactans, which was unveiled at the Black Hat security conference back in 2013. While the device may look like an ordinary USB wall charger, it actually has the capability to deploy malware on iOS devices.
- USB-C to get improved security in fight against malware-laden USB sticks
- This fake iPhone charging cable will hijack your computer
- Keep your devices charged with the best power banks of 2019
In 2016, security researcher Samy Kamkar improved on the idea further and created an Arduino-based device called KeySweeper. The device resembled a USB wall charger and it could provide power to smartphones but it also used a wireless connection to passively sniff, decrypt and log all keystrokes from any Microsoft wireless keyboards within its range.
Malware in plain sight
The LA District Attorney's warning titled “USB Charger Scam (opens in new tab)” provided consumers information on all of the different ways criminals can use USB wall chargers and even USB cables to infect their devices.
Pluggable USB wall chargers are the most common way that consumers can fall victim to a “juice jacking” attack as a criminal could easily leave behind a malicious charger at a public place such as an airport or hotel. However, criminals now also have the capability to load malware onto public charging stations which means that public USB ports also pose a security risk.
In the same way that a charger can 'accidentally' be left behind, so too can USB cables and the O.MG Cable, which was revealed at this year's DefCon cybersecurity conference, is a recent example of how malware can now be hidden inside a USB cable itself.
To avoid falling victim to a “juice jacking” attack, LA officials recommend that travelers use AC power outlets instead of USB charging stations and that they bring their own chargers when traveling. While traveling can certainly be fun, it is also the time that consumers are most likely to fall victim to a scam or even a cyberattack.
- Keep all of your devices protected with the best antivirus software
Via ZDNet (opens in new tab)