17

We have several smartphone with encrypted data on them (BES, iPhone, Android) and want to prevent an unauthorized person from downloading information from the device via USB.

The visual assumption is that the USB file transfer mode is protected by a password; but then again, it is subject to implementation flaws and risks.

  • Are there any "known bad" or "known safe" smartphones with regard to USB security?

  • How does a corporation protect from these risks?

  • Does anyone have easy-to-understand explanations of the risks and what not to do? (e.g. use a public cellphone charging station)

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Recent advent in this area - http://www.theverge.com/2013/6/3/4390808/ios-malicious-charger-hack-georgia-tech-institute-black-hat-2013 – JZeolla Jun 03 '13 at 13:13

2 Answers2

14

The kind of attack you are talking is popularly coined as "Juice Jacking".

  • Are there any "known bad" or "known safe" smartphones with regard to USB security?

    • In my knowledge, NO.

  • How does a corporation protect from these risks?

    1. By making policies (actually spreading awareness) about the threat as many people yet aren't aware about it.
    2. And popularizing the practice of Not Using public charging kiosks.
    3. To charge your phones on the go, use a normal power cord as I'm sure non-smartphone mobiles are not that old to get their public charging outlets removed.

  • Does anyone have easy-to-understand explanations of the risks and what not to do? (e.g. use a public cellphone charging station)

    1. The threat doesn't only get limited to downloading of all your data but also malware could be written to your device, to own victim for longer time.
    2. What to do & Not to do list added in previous part.
AbhishekKr
  • 563
  • 3
  • 4
7

There is an additional piece of protection you can put in place:

On my android phones, I have the default connection type set up to be 'charge only' which prevents access through the USB port until I manually set the charge type to accept a connection. And this can only be done through the on-screen menus.

I think iPhones can do the same but don't have any definite data on that.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 4
    If an iPhone is locked with a passcode, iPhoto/iTunes can't sync until it's unlocked. iOS 4 and above. –  Oct 15 '11 at 10:49
  • 1
    Charge only (and passcode on iOS) is just a software-enforced restriction. What if there is a vulnerability in said software? Your phone gets pwned. It's best to use a cable/adapter that disconnects or shorts the USB data pins together so there's a physical break (like an air-gap) between the phone and the potentially malicious charger. – André Borie Mar 27 '16 at 20:45
  • Not for any of my threat scenarios, no. If an attacker has already compromised your phone and the machine you are connecting to, then this hack is irrelevant. – Rory Alsop Mar 27 '16 at 20:47
  • Im my scenario the phone is not yet compromised, however the code handling USB communication is vulnerable (it has a zero-day). A compromised machine could exploit that vulnerability to bypass whatever charge-only mode/passcode lock and compromise the phone as well. – André Borie Mar 27 '16 at 20:50