In a great example of the fact that not every USB charging station is as innocent as it looks, security researchers have identified a new, easy way for attackers to digitally eavesdrop on your smart phone when you think you’re charging it — and watch everything that appears on your screen while you’re doing it.
The security researchers who came up with the method call it “video jacking,” as it takes advantage of your smart phone’s ability to mirror its screen on larger screens (like a computer monitor), Brian Krebs of KrebsOnSecurity reports.
Once a vulnerable phone is attached to the USB charging station, the spy machine hidden inside the station splits the video display and records everything you enter on the screen as long as it’s plugged in. That means the PIN you use to unlock your phone, account numbers, texts, videos, pictures, the snarky comment you made on your friend’s duck-face selfie on Instagram, etc.
Part of the problem is that many phones that are at risk can’t really tell if a USB cord is merely charging it, versus one that’s tapping into the phone-out capability of the phone, Krebs notes.
“All of those phones have an HDMI access feature that is turned on by default,” researcher Brian Markus, co-founder and chief executive officer for Aries Security told Krebs. “A few HDMI-ready phones will briefly flash something like ‘HDMI Connected’ whenever they’re plugged into a power connection that is also drawing on the HDMI feature, but most will display no warning at all. This worked on all the phones we tested with no prompting.”
So how do you know if your phone is at risk? Most vulnerable devices are Android or other HDMI-ready smartphones from Asus, Blackberry, HTC, LG, Samsung, and ZTE, Krebs points out. He directs folks to two lists (one here, another here) of HDMI-enabled smartphones, though they shouldn’t be considered all-inclusive.
Markus also briefly tested the attack on an iPhone 6 at an Apple store, where the video of the phone’s home screen popped up on the display without any prompt. And to make it an evil charging station look legit, Markus used a special digital AV adapter from Apple, which could be stuffed inside a charging station with an extension adapter and a regular lightning cable attached to that.
If you’re worried that your phone might be at risk, sticking it into any USB charging station you come across is probably not the best idea. Krebs notes, however, that depending on what line of work you’re in, most “mere mortals” won’t have much reason to worry about video jacking. But because it’s a cheap and pretty effective tactic, you should carry your own charging dock when you travel, or use a USB phone charger adapter with a power plug on one end.
Road Warriors: Beware of ‘Video Jacking’ [KrebsOnSecurity]
Aucun commentaire:
Enregistrer un commentaire