Jailbroken Devices Compromised By Charging Stations

mask.of.sanity writes "Data can be stolen from Windows, Android and Apple devices by unassuming power charging towers. In an attack demonstrated at the Defcon hacking conference, mobile phone charging units were rigged to pull data from phones plugged into them. Researchers found many jailbroken and modified devices activated USB functions when they were plugged in, or simply rebooted."

Er... how can Android be jailbroken

Nitpicking here... An iPhone that is jailbroken has its security compromised where anything is possible via the USB connection. However, an Android device that has root still has its security mechanisms 100% intact unless someone automatically checks "yes" everytime the su dialog pops up, or has a really craptastic ROM.

Yes, some ROMs might allow for a root prompt to allow a hacked charger to slurp data via ADB, but this can be easily disabled by just turning debug mode off.

Re:Er... how can Android be jailbroken

[pruss]

1. Moreover, there is quite a bit you can do with adb even without root: the adb shell normally gets privileges that are higher than those ordinary non-system Android apps get, though lower than full root privileges. (E.g., you can silently install and deinstall arbitrary apps from an adb shell.) So keeping debug on and plugging into untrusted devices is probably not such a great idea, whether the device is rooted or not. Moreover, if debug is on, then even if the device isn't rooted, an attacker can often just silently install an app that roots the device via whatever vulnerability roots a given device, and then get full root privileges.

2. The Superuser app that I use can be set so that it remembers su permissions after the first time one is asked and doesn't ask again if the same app requests the permission (technically, it will ask again if the app requests the permission in connection with another su command, but most root-using apps just request permission for an su shell, and then do their work in the shell). I keep that setting active, since I do things that require root so often (my SuperDim app to dim the display below what the OS normally allows for use at night; on boot setting the exec permission on my SD card so I can move app libraries to it; adjusting CPU governor settings; using my Force2SD app to move recalcitrant apps to SD; running a script to do a tar backup of all of /data; etc.). It would be a real nuisance to be constantly prompted. But there is an obvious security cost to the convenience. I am willing to accept that cost, especially since I currently use only two root-based apps that I didn't write myself, and I think they are trustworthy apps. So only two apps that I didn't write have the silent su authorization enabled.

Re:Er... how can Android be jailbroken

[blair1q]

Yes, but see how they worded the threat?

If you have done something to totally drop security on your magic data port, then something you connect to that port that you do not understand can pwn your gifs.

Pretty simple really.

Same deal with flying. You're okay until someone lets the snakes loose.

Re:Er... how can Android be jailbroken

[zoloto]

Your comparison of Android and iOS are Oranges and Apples. (:P) Just because someone's jailbroken their iOS device doesn't mean it's insecure from that point, and often times that security hole is the purveyor of other actual fixes to prevent unauthorized access. Including the one it (the jb method) used to jailbreak the device. ie: the PDF exploits used for jailbreaking iOS devices.

Hmm

[LocalH]

So basically, you connect an untrusted device to a device you trust somewhat, and you're shocked when bad things can happen?

It's like people who would pick up a random USB drive off the ground and then plug it into their computer without taking precautions. Why is this any different?

Re:Hmm

I'm not sure if your USB drive example is a good comparison to this situation. Charging stations are being commonplace and showing up in airports, coffee shops, etc. Businesses that people trust.

I think think this is more like a fake ATM machine. People are so used to ATMs being everywhere, that little thought is given when they enter their PIN number into one. It's not something that the average person is going to think twice about.

Re:Hmm

[Joce640k]

Simple solution: Get a USB extension cable which only has power connections, not data.

Re:Hmm

[erroneus]

In technical terms, you are correct. But the belief was that this was a power station, not something intended to compromise. True that it caught people unaware. It would have caught me unaware. It goes to show that using complex connectors for power isn't such a great idea since it requires trust which people are unaware they are giving.

This has given me cause to pause. I just checked my phone. It's default setting on reboot is for USB connections to prompt on the phone what to allow. USB debugging is also disabled by default. Am I wrong in guessing I would have been safe unless I was stupid enough to answer the prompt? Also, I am running a Team Whiskey load on my phone, not a stock one.

Most people are and likely still will be vulnerable. Sad.

Re:Hmm

[The+Dawn+Of+Time]

*golf clap*

You're so awesome, and your points really make a difference in the real world.

Re:Hmm

[Em+Adespoton]

Tell me this... does this amazing OS of yours alert you when you plug in a new USB keyboard? Because some of the USB sticks people find on the ground have both a flash memory partition and a fake keyboard interface that sends key commands in a predefined manner.

I'm all for OSes that fingerprint all your USB devices and require you to validate each function of each interface the first time presented, but even OpenBSD doesn't do this by default.

Re:Hmm

[cowboy76Spain]

The analogy only works in part. In your case, your maximum possible loss is the device itself and any data not properly backed up. In the case explained in the article, the exploit means that your data ends in untrusted hands.

Of course, it depends a lot of the nature of the data that you have in your phone. For my phone, it would be a greatest setback breaking the device than making public any data held in it. But maybe some other people has in their smartphones the numbering of their secret banks accounts in Switzerland.

Seatback charging on airplanes

[mpoulton]

I flew on Air Canada a few weeks ago and they had USB ports for charging integrated into the seatback touchscreen displays. When I plugged my phone (HTC Incredible running CM7 nightlies) into it with a USB data cable, it indicated a valid data connection to a host controller! I was surprised and thought the seatback device probably contained a small PC to handle the interactive display. I tried to poke around on the host device to see what I could find, but didn't get anywhere with it. For some reason it didn't even occur to me that the "poking around" could be going the other way. If someone could compromise those seatback devices, the phone contents of thousands of passengers could be automatically collected...

Re:Seatback charging on airplanes

AC Chargers that can supply up to 1000ma short the two data pins together to tell the phone it can draw that high amount of current.
USB devices connected to a controller are only allowed to draw 500ma, and only after negotiation with the host.
A USB connected to a port where the data pins are not shorted AND cannot negotiate a higher current with the host is only allowed to draw 100ma.

So removing the data pins from a USB port will prolong charge duration 5x or 10x

Re:Seatback charging on airplanes

[RobbieThe1st]

Not if you short them together on the device side.

Re:Seatback charging on airplanes

[cshake]

Since iDevices (at least the iPods I've used) have the ability to charge from the "dumb" wall bricks with a USB port, why not bring a custom cable with you to unsecured locations that only connects to VCC and Gnd on the USB port, and has the appropriate resistor between the data lines to indicate a valid charging station? Voila, no risk of data going either way and you still get a charge from an unknown location.

Re:Seatback charging on airplanes

[MichaelSmith]

I tried to poke around on the host device to see what I could find, but didn't get anywhere with it

If you drill down to something called TCAS or FMS I advise you to leave it alone.

Re:jailbroken? no need for that

[mpoulton]

"or simply rebooted" implies that they rebooted when they were attached to usb, which sounds a bit far fetched tbh.

Many phones will boot when connected to power if they are off to begin with. I think that's what he meant.

Re:Duh

[Miamicanes]

What you need is a USB CondomCable with the D+ and D- pins shorted together. No data can flow, and if the bad guys didn't bother to try and implement proper power protocol, you'll get the added satisfaction of frying THEIR hardware when your phone cranks up the juice and tries to suck down 1.7A instead of politely sipping 100mA. Just don't ever use such a cable by mistake to connect your phone to a pc or laptop belonging to yourself or a friend.

Re:Duh

[Kookus]

I don't think he meant that the d+/- lines were what fries the host, he was indicating that the phone wouldn't think it's connected to a computer and it would draw higher amps because it thinks it's hooked up to just a charger. So if the host didn't limit amps and it's wires weren't rated for 1.7A, then it would result in them overheating and hopefully damaging something.
The whole purpose was to make a connector that actually works, not something to destroy the host. The ancillary prize was damaging hosts if they were advertised as just a charger and they really weren't.

Told you so

[Animats]

Told you so on February 6, 2009.

Back in 2009, it was just a Windows autorun problem. Since then, Google and Apple have been able to screw up in the same way.

Coming soon, I suppose, attacks on appliances via "smart meter" data links. Not everything should have a data link.