Battery charger hack offers covert way to spy on mobile devices

Paranoid Android

Hackers might be able to steal private data from a mobile device through a powerbank, even if a target is so paranoid that they’ve disabled internet access.

A novel side-channel attack was demoed during a presentation at Black Hat Europe today (December 5) by Dr Riccardo Spolaor of the University of Oxford – one of a team of four European computer scientists that have developed a means of exfiltrating data from a compromised device based on power consumption fluctuations alone.

The data that can be extracted by this technique is best measured at a rate of bits per hour, rather than Mbps, and relies on first planting a malicious app on a targeted device in the first place.

Despite these constraints, the attack is noteworthy because it shows how vectors for mobile security attacks can change, while emphasizing the point that even air-gapped systems can be compromised.

A few years have passed since the time users constantly sought an internet connection, leaving them at risk of attack, providing they could be tricked into connecting to a rogue wireless access point.

Ubiquitous WiFi coverage and cheaper data bundles from carriers have rendered this avenue of attack less attractive.

Today, users on the move are more likely to be on the lookout for energy sources to recharge their smartphone batteries.

This has led to the creation of charging stations in public places and the marketing of portable batteries – AKA powerbanks – to recharge your smartphone.

Public charging points have, to a certain extent, replaced rogue WiFi networks as a vector for hacks.

Measures to prevent data transfer via USB cable (such as ‘Charge-only’ mode) have been introduced into the Android ecosystem, alongside hardware protections.

These hardware protections include so-called USB condoms – charging connections where only the power connection works and the data transfer pins are absent.

Spolaor and his academic colleague in the Netherlands and Italy exploited a hidden communication channel based on the electrical current provided for charging the smartphone.

A malicious app posing as a clean app, such as an alarm clock, can remain silent until the device is plugged to a USB port and left unattended.

At this point it would begin transmitting sensitive data encoded in energy consumption peaks.

A powerbank under the control of hackers would be able to measure these peaks, the pattern of which forms a signal that can be decoded to pull off data from a compromised mobile device.

A victim would be left with no indication that anything was amiss. The exploit could be carried out without the need for the malicious app to have access to the internet or other permissions – providing it has access to the information that it wants to exfiltrate.

The Powersnitch app developed by the researchers only works on Android devices.

Similar attacks against Apple devices are an avenue for further research, Spolaor told conference delegates attending his talk.

“Wireless charging very noisy therefore good countermeasure against this type of attack,” Spolaor explained. “The current in that scenario is consumed in charging the battery.”

As a spying technique, the approach sounds like something from Mission Impossible, but the electronics necessary to measure the power fluctuations can be put together by the semi-skilled for as little as $17.