Mobile USB-C ports and public chargers: an easy target for hackers

In most companies, executives and employees undertake best-practice training on the use and security of their company’s mobile phones and computers. Typically, the guidelines will include precautions against hacking, which can cause the loss or phishing of sensitive data and seriously affect the economy and reputation of a company. Among these recommendations, users of company devices are told to avoid connecting to public Wi-Fi networks.

To protect information, mobile manufacturers have also been increasing the security and safeguards on the latest generation devices, which feature double authentication (pin and biometrics) to unlock the devices. However, despite these efforts, mobile devices still have a security-vulnerable point that is little known to users: the USB-C port.

In recent years, mobile device manufactures have invested to improve the USB-C port, increasing the charging speed, standardising the connectors and developing a single, multi-use port for charging the battery, downloading data and connecting to peripheral devices. These advances and features have improved customer experience but have also opened the phone to other possible vulnerabilities.

At a security level, the USB-C port does not have any authentication system, so if the device is connected to a fake charger or a manipulated one, the user is essentially providing hackers access to the device.

In addition to the lack of security countermeasures on the USB-C port, the appearance of docking stations and charging points in all types of public locations, such as bars, airports, trains, airplanes, conferences and our city streets, have added to the risk of security vulnerabilities. These types of charging stations are simple devices, which are not subject to any security audit, so the connection points can be manipulated by hackers.

This combination of no authentication system and vulnerable public-access points has turned the USB port into a gateway to a wide range of attack techniques. Some of these attacks require expensive equipment and a lot of knowledge, so such attempts would only be possible at a fake station in an uncontrolled place. However, in other cases, as in other software attacks, only a modified charging cable is required to bypass the device’s security.

The industry is aware of the problem and security specialists are now developing security countermeasures. The USB Implementers Forum Inc., a non-profit organisation which includes some of the leading technology companies, has recently developed a standard protocol to authenticate the USB Type-C chargers, devices, cables and power sources. Under these improvements, certified USB devices will be able to detect if an unfamiliar cable or charger is also certified before any type of energy or data is transferred. This is a voluntary system with only a recently-created certification regime, so it is too early to assess its impact on the market.

Let’s review the main types of attacks that can be carried out through the USB port:

One of these attacks is based on monitoring the power derived through the ground pin of the USB connector. These types of attacks are known as Side Channel Analysis (SCA) attacks. SCA attacks take advantage of the power consumption and/or the electromagnetic radiation which may reflect and leak information from the processed data.

Perturbation attacks are another also commonplace, such as glitching-tools that work through the USB protocol and are able to inject over/under voltages affecting the underlying HW modules. The objective of this attack is to provoke the device to malfunction and then take advantage of unexpected behaviours. This type of attack could increase the voltage of the smartphone momentarily and then, for example, cause the device to bypass of a security process, opening the device to be easily accessible.

In addition, there are a large number of attacks in the field of Physical attacks. For example, Android OS allows for the connection of a keyboard or a mouse, called HID (Human Interface Device). By abusing this functionality, an attacker could trigger a factory reset, introduce malicious keystrokes, through a keyboard, and perform a brute force attack to unlock the screen-lock PIN. Basically, this attack tries all the possible PINs until the correct one is found and rendering the device accessible.

Within Physical attacks, one of the interesting tricks is to focus on data that remains temporally in RAM memory. For instance, the cold-boot attack takes advantage of the remanence effect of volatile memory, and therefore the USB connection can be misused as an interface to read confidential information from this memory.

Finally, the most well-known attacks (and, sometimes, easy to implement by downloading the script in the internet) are those categorised as Software attacks. These attacks set out to exploit vulnerabilities in software, and, for example, an attacker could execute a malicious app that extracts your photos and documents.

Smart cards, a reference in security evaluations

All of the attacks mentioned above are traditionally simulated in a mandatory security evaluation by independent security laboratories on devices, such as smartcards, before they are released on the market. The aim of performing these attacks is to demonstrate that the product is protected and this assists the industry to improve the security of their products. However, at present, neither the smartphones nor the chargers and cables require a security evaluation, and Applus+ Laboratories are currently witnessing this security problem.

Companies and users entrust important data to their gadgets, and, in most cases, the leakage of this information could have dire consequences. Therefore, devices require security evaluations at all levels (development, manufacture and subsequent use in some cases) to keep data safe.

The attacks explained above are a sample of the tests carried out by Applus+ Laboratories. Our experts can evaluate different devices as smart cards, hard drives, IoT solutions and mobile phones to ensure a sufficient level of security in each product.