NYIT: Smartphone hackers making a power play

No charge: Hackers can "juice-jack" your smartphone via "malicious charging stations," warns a team of NYIT researchers.

Be careful where you charge up your smartphone, lest you be “juice-jacked.”

Yep, that’s a thing: the theft of smartphone data through the USB cords used to power your mobile device. Plug into the wrong charging station, and hackers can quickly learn what websites you’re visiting (while charging) and potentially access other proprietary, personal data, even without a traditional “data wire” connection.

That’s the gist of a new paper by a team of New York Institute of Technology researchers published in IEEE Transactions on Information Forensics and Security, an industry journal covering the science of IT, including biometrics, surveillance issues and system-based applications.

The NYIT team – assistant professors Kiran Balagani, Aydin Farajidavar and Paolo Gasti, based at the institute’s School of Engineering and Computing Sciences in Old Westbury – collaborated with researchers from Virginia’s College of William and Mary on the effort, which focused on data stolen exclusively through “malicious charging stations.”

Experts have long understood the risks of charging smartphones using USB cords that can also transfer data, but the NYIT/WM research determined that even without data wires, hackers can use a “side channel” to access seemingly insignificant information – the device’s power-consumption levels, in this case – and use that to infiltrate a user’s private data.

The work by the NYIT team, College of William and Mary associate professor Gang Zhou and Qing Yang, a WM doctoral candidate, is the first to show that hackers can analyze a device’s power usage to get at sensitive info. It all has to do with each website’s unique “signature” – a digital fingerprint, of sorts, that clever hackers can translate and use as a way in.

“Webpages have a signature that reflects the way they load and consume energy,” Gasti noted.

Paolo Gasti: Taking charge of hack attacks.

The researchers conducted the study using previously identified power-use signatures. After cataloguing power traces via a range of smartphones browsing popular websites, the team plugged in the devices and launched simulated hack attacks, checking the accuracy with which their algorithms could determine which websites were visited while the phones were plugged in.

Various factors – including battery-charge level, whether the browser cache was enabled or disabled, physical taps on the screen and the specific WiFi/LTE signal – influenced the accuracy rates, the researchers noted.

Some conditions, such as a fully charged battery, facilitated faster and more accurate penetration; others, such as tapping the screen while a page was loading, reduced hackers’ chances of learning what website was being viewed.

Regardless of the conditions, the big takeaway is this, according to the researchers: Be careful where you charge your phone.

“Although this was an early study of power-use signatures, it’s very likely that information besides browsing activity can also be stolen via this side channel,” Gasti said. “Since public USB charging stations are so widely used, people need to be aware that there might be security issues with them.

“Informed users might choose not to browse the web while charging.”