People love the idea of being able to conveniently charge their phones without a cable or having to hunt for a plug. Free charging stations are popping up everywhere. In almost all major US airports, many international airports and frequently in public places, “free” (or even the kind that will charge a small fee via your credit card) are becoming ubiquitous.
The number and kind of these devices varies from the simple pole with multiple electrical and USB ports to “lockable” versions where you can lock your device and walk away while it is charging – for a nominal fee, of course.
Want to get in on the action and start your own charging station business? I found one for sale on eBay for $2,875 or “Best Offer." Jump over to Alibaba.com and you can buy 5 for $1,400. Once one of these is in a hacker’s possession, it can be modified to take information while it’s giving your phone a charge. How many of us wouldn’t think twice about it before we automatically click “Trust this Computer” on our iPhones? Whatever it takes to get charged back up, right?
I can’t help that my mind works this way, but the first time I saw one I thought: What a great way to suck all the data out of the phone. And if you’re paying for the charge, they can also get your credit card number! Not to mention the fact that the cable can transmit malware to your phone, because, after all, the cable provides a two-way data channel in addition to charging capability.
Turns out other people had the same thought. As far back as 2011 at the DEF CON convention, two researchers set up a phony charging station demo. At the 2013 Black Hat convention in Las Vegas, computer scientists demonstrated how easy it is to hide a tiny computer in a public phone charger. The idea eventually became known as “juice jacking.” While Apple and Android pushed a patch to resolve that vulnerability, hackers continued to experiment with the concept: this year’s DEF CON had a presentation on “video jacking.”
Again, using a phony charging station, HDMI-enabled phones (the kind of phones that allow you to watch a movie using your phone connected to a TV) are vulnerable to having their every key and finger stroke recorded. According to Brian Krebs, iPhones were not tested for this hack, but I’m sure others are in the pipeline. It’s just too darn tempting.
My recommendation? Don’t plug your USB charging cable into anything except your computer or an outlet directly connected to your phone, and nothing else.