Hackers could be stealing information off your phone
“I just kind of plug my phone in,” Austin Hueber, a computer science major, said of the cell phone charging kiosks on campus. “I worry that someone might take it, but other than that it’s just a charger.” A recent surprise exposition by Georgia Tech University researchers at the DefCon security convention in Las Vegas has made a security threat public that even those who study and work with computer security are not aware of. At least 360 attendants of the Las Vegas convention, most of them experts in online and computer security, unknowingly allowed a device to access their phones and access personal information stored on them. The tactic used to fool these security experts is a new hacking practice known as juice-jacking. According to Brian Krebs, a former computer security writer for The Washington Post, juice-jacking is the practice of malicious third-parties using the free charging kiosks found at airports, hotels, malls and college campuses, as a means of compromising the security of a user’s smartphone. Juice-jacking can give hackers access to any contacts, photos, emails, banking accounts and passwords a user may have stored on their smartphone, as well as the potential to upload undetectable malware to the phone. Although students should be wary of public charging kiosks in public places such as malls and airports, they should be aware that the risk of a security compromise on one of the GoCharge kiosks located on Northern Kentucky University’s campus is relatively low. The inner workings of the charging kiosks are fairly basic, said Doug Wells, director of infrastructure and operations in the Office of Information Technology for NKU. “In the basic sense, it is a big USB power strip, with presupplied charging cables,” Wells said in an e-mail correspondence with the Northerner. “The phone charger version we have has no ability to charge students or scan AllCards, or be networked,” said Wells. Although the model of GoCharge kiosks currently on campus are too simplistic to pose a security risk, a threat does lie in third parties connecting additional devices to the kiosks which are capable of collecting users data. Researchers at Georgia Tech University were able to collect data from unwary smart-phone users by installing a microcomputer called a BeagleBoard in kiosks. The $45 devices, available at beagleboard. org, act as a connector between the USB pow-er hub and the charger, and when installed with a malicious program, can compromise the security of an iOS device in less than one minute. The smallest and most discreet of these devices, the BeagleBone Black, can be connect-ed through Ethernet, HDMI and USB hosts, and is capable of running Linux, Ubuntu and Android operating systems. Wells acknowledges the possibility, but insists that students are not at risk if they pay attention. “Look at the cord you are about to use,” Wells says to users of the kiosks, “and verify that the cable doesn’t appear to be tampered with.” As of September 16th, a device known as the USBCondom has been created to relieve fears of those who use public charging kiosks. The device blocks data pins in a USB connector, allowing only the power pins to connect between a phone and a foreign USB hub. The chargers on campus all feature three traditional iPhone chargers, as well as five microUSB chargers. NKU is currently looking into adding chargers for newer devices to the kiosks, such as the Lightning adaptor for iPhones models 5 and up.