When your smartphone battery is dead or running low, you probably wouldn't think twice about connecting your device to a computer using a standard USB connection. However, Kaspersky Lab experts say this seemingly harmless decision could make you vulnerable to hackers.
As part of a study examining the dangers of charging your smartphone in freely available, public charging stations, experts at the cybersecurity firm tested a number of smartphones using different versions of Android and iOS operating systems to understand what data is externally transferred while connected to a Mac or PC.
The experts found that a "whole litany of data" is transferred from the smartphone to a computer during the "handshake" between the two devices.
When you connect your device to a computer via a USB cable, the phone shares a host of key information during the "introduction process" such as the device name, device type, device manufacturer, serial number, operating system information, firmware information, file system/file list and the electronic chip ID.
While the amount of data shared does depend on the device and the host, Kaspersky Lab says each smartphone reveals the same basic set of information.
Kaspersky Lab says this is "indirectly" a security issue. "Now that smartphones almost always accompany their owner, the device serves as a unique identifier for any third party who might be interested in collecting such data for some subsequent use," Kaspersky said. "But it wouldn't be a problem if collecting a few unique identifiers was all that an attacker could do with a device connected to an unknown computer or charging device."
According to the security firm, public charging stations also present hidden dangers that smartphone users should be aware of as well.
In 2014, computer scientists demonstrated how easy it is for a hacker to install a small device in a public charger capable of infecting a smartphone with a virus.
"I would never plug my phone into a public charger," Billy Lau, a research scientist at the Georgia Institute of Technology who led the Black Hat demo, said at the time. "You don't know whether you are just charging your phone or if something else is going on."
Using a regular PC and a standard micro USB cable, Kaspersky Lab researchers say they were able reproduce the same result as well and re-flash a test smartphone by silently installing a "root application" on the device, which amounts to a "total compromise of the smartphone."
Both the cyberespionage campaign Red October and the Hacking Team have used this technique in the past to exploit the seemingly innocuous data exchange between a smartphone and a connected computer, the security firm said. After discovering the victim's device model received from the connected device, the hackers were then able to tailor their attack with a specific exploit.
"The security risks here are obvious," warns Alexey Komarov, a researcher at Kaspersky Lab. "If you're a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware. If you're a decision-maker in a big company, you could easily become the target of professional hackers. And you don't even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the internet."
