When your phone’s battery is running low, you would have probably never thought twice before plugging it to charge through your laptop or to freely available charging points like at airports, cafes, on public transport or even free hotspot kiosks provided by your very own city. Nevertheless, security experts are warning why you may want to lay off charging your devices this way and opt for your traditional charger or powerbank instead.
A research team at security firm Kaspersky Labs discovered that is entirely possible to hack and install a third-party application like a virus onto your phone while it is being charged through a USB cable connection to a laptop. The simple act of charging your phone could potentially give hackers access to all your personal details from the moment you plug in your device. Driven by the curiosity of what and how much data was being transferred between your mobile and the charging points, the Kaspersky team decided to conduct a research to these questions. The answer: a lot. In fact, data is transferred between your phone and the charger it is plugged into as soon as the charging connection is made, and the whole process took them under a mere three minutes.
During the study, the Kaspersky researchers tested devices running different versions of iOS and Android to see what data is transferred while connected to a Mac or PC for charging. According to the researchers, plugging your iPhone or Android phone into a computer results in a whole load of data being exchanged between the two devices. The phones tested leaked a host of private data, although varying in amount depending on the device and host as it moved data to the computer during the ‘handshake’, it still included the basic set of information like the phone’s name, the manufacturer, the device type, the serial number, firmware information, the operating system information, the file system and the electronic chip ID.
Extra: A ‘handshake’ begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back and forth that enable them to agree on a communications protocol.
While this information may seem harmless to us, Kaspersky warns that these data would be sufficient enough for a hacker to break into your phone and take control of it. For many, our phones have turned into our extra limbs we could not imagine living without. Much of our daily lives are integrated with our phones and they serve as unique identifiers to third parties who might be interested in collecting such data for some subsequent use. The fact that the version of firmware in use and unique device identifier was exposed could mean hackers are able to target the device with a specific exploit, as the Kaspersky researchers were concerned.
Kaspersky explained that it was ill-advised to charge phones using a public USB port or through the laptop as during several of their tests, the security experts were able to silently install a root application on a dummy phone this way using a regular PC and a standard micro USB cable and armed with a set of special commands (so-called AT-commands), which ended up exposing the device. It amounted to a total compromise of the smartphone, even though no malware was used.
In fact, this is not the first time this has been heard of. This is not even the first time that the theft of data from a mobile connected to a computer has been observed. This technique was used in 2013 as part of the cyberespionage campaign Red October. Additionally, the notorious Italian Hacking Team group also carried out a similar process by making use of a computer connection via the USB port to infect a phone with malware. They plotted the attack based on the device model of the victim, which the hackers managed to get through the USB-connected computer. “That would not have been as easy to achieve if smartphones did not automatically exchange data with a PC upon connecting to the USB port,” Kaspersky Labs said. According to Mirror, by checking the identification data received from the connected device, the hackers were able to discover what device model the victim was using and then use this information to tailor their attack.
This proof of concept was presented in 2014 at Black Hat when researchers demonstrated the process of how they were able to infect devices with malware using AT commands by plugging it into fake charging stations in public places. Now, two years on from the original announcement, the Kaspersky experts are still amazed that the same method still successfully reproduce the results.
“It is strange to see that nearly two years after the publication of a proof-of-concept demonstrating how a smartphone can be infected through the USB, the concept still works,” said Alexey Komarov, researcher at Kaspersky Lab said.
He went on to warn that: “The security risks here are obvious: if you’re a regular user, you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware. And, if you’re a decision-maker in a big company, you could easily become the target of professional hackers”.
Worried about getting hacked just by wanting to charge your phone through your laptop? Kaspersky Lab provides a list of tips on several techniques to protect yourself:
- Use only trusted USB charging points and computers to charge your device
- Protect your mobile phone with a password, or with another method such as fingerprint recognition, and do not unlock it while charging
- Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data
- Use encrypted apps like WhatsApp, Telegram, Wired etc. to communicate
- Install some kind of antivirus software that is capable of detecting malware even if a “charging” vulnerability is used
- Update your mobile operating system to the most recent version, as that will have the most up-to-date bug fixes
 Kaspersky Lab
 Coventry Telegraph
 IT Pro
 Tech Worm