Frequent travelers know they have to be careful about where they plug in USB-connected devices to recharge. Security researchers have long warned that USB charging cables at conferences, airports and other public places can steal smartphone information, but the latest twist on this attack is absolutely beautiful in its simplicity — it can steal your info by simply broadcasting it on a screen.
Independent security journalist Brian Krebs took a deep dive on the proof-of-concept attack, which he saw demonstrated informally at the DEF CON 24 hacker conference in Las Vegas earlier this month. The attack is so delightfully straightforward, it's a miracle no one's ever thought to use it before.
As you may be aware, many high-end smartphones running on both iOS and Android can transmit their screen displays or video to an external monitor via HDMI. The exact technology varies by phone, and not all phones have the built-in hardware, but you can buy a USB-to-HDMI adapter — usually on the cheap — and mirror your phone’s screen on a TV without using unreliable wireless protocols.
The only trouble is that an HDMI-capable USB cable or plug is often indistinguishable from a regular USB cable. Brian Markus, CEO of Aries Security worked with Joseph Mlodzianowski and Robert Rowley, two other accomplished researchers, to see how cheap and easy it would be to steal people's information via video hijacking.
The answer: very cheap and very easy. Using a $40 monitor and about $220 worth of equipment, the researchers devised a USB splitter for use at a public charging station setup at DEF CON. They were good enough to warn users what they were signing up for; actual malefactors probably wouldn't be so kind.
When a user connected his or her phone to the rig, the device would, indeed, start charging. But it would also transmit an exact copy of everything happening onscreen to Markus’s monitor. In a more elaborate version of this setup, the monitor could be in a remote location rather than right next to the charging port, which might make the con a little obvious.
The most common kind of USB-to-HDMI transfer involves standard microUSB plugs, or modified microUSB plugs with more internal pins, but USB-C and Lightning ports can also transfer HDMI signals. Following the DEF CON demonstration, Markus went to an Apple Store and had an employee demonstrate Apple's Lightning-to-USB cable by outputting the screen display from her own iPhone 6 to a video screen -- complete with passcode entry.
Unlike transmitting data via USB, which both Android and iOS warn users about, there's no notification for picking up a video signal. Everything from entering a phone's PIN to logging into banking apps would be ripe for the plucking.
This, of course, is also the hijack's fatal weakness: How many people actually log into sensitive information while using public charging ports? People are just as likely to turn their phones off and wait awhile. Social media and e-mail apps don't require constant logins. And if you're at a busy conference, the last thing you're going to do is stop to pay your credit card bill.
As such, Krebs doesn't think the average person needs to worry about this clever hack too much. Still, if you travel frequently and use public charging spots, you may want to keep your phone off, or restrict your activities to apps that don't require logins or display sensitive information. After all, if you do something embarrassing, there could be video evidence of it.