Universal Serial Bus or USB was a extremely valuable development in the technology world. USB made consolidation of how we connect our smart phones, cameras, memory sticks and personal computers. It also created a very easy way to charge mobile devices. Like any prolific technology this high availability is not without it’s pitfalls, perhaps most significantly in the world of information security.
In January of this year I shared some insights on USB device security while covering a USB Human Interface Device (HID) security issue. While companies have made headway including a reduction in “Autorun” infections issues related to USB capable devices have been subjected to a number of additional threats. It is these threats that encouraged this update to arm you with knowledge so you can better protect yourself.
While it sounds like a way criminals might steal electricity it is actually how criminals can use charging kiosks to install malware on your portable devices. A charging kiosk is a public resource for charging your USB capable devices such as your Android Phone or iPhone. Imagine plugging into one of these kiosks and getting your smart phone or portable device infected with malware. Once infected your mobile device can then propagate said malware to your PC, Mac or any other computer you might connect it to in the future. Then using an autorun vulnerability that malware can then infect any flash drive inserted into the computer. See how this cycle can quickly spiral out of control? We can break this cycle easily:
Don’t plug your phone into any public USB outlet or charging kiosk, carry your own charger and use an electrical outlet.
Your own personal charger is your protection (pictured below, left), they convert the Alternating Current (AC) to DC suitable for charging a USB device. You can also just use your own laptop and a USB cable to accomplish this.
In advance of this post I posted a survey via Facebook and our own blog to see if our readers and friends were using public charging stations. I’m proud to report that 70% of respondents had not used them and only 30% had. Hopefully after reading this you won’t use them, it’s just not worth the risk.
Additional related content:
- #infosec hashtag search on Twitter (get the latest real time information)
- The #Infosec Weekly (A summary online publication of recent content shared by Information Security related Twitter Accounts)
- Security Investigator Brian Krebs piece on a charging kiosk located at the Defcon hacker conference. (partial inspiration for this post, also a great resource if you want to learn the ins and outs of information security)
- Managed Solutions on Facebook (We share lots of information security related information on our page, like us to get these updates.)