RSAC Scholar: Jennifer Burns Fellow Team Members: Matthew Bajzek, Tor Langehaug

Abstract - Is My Charger Hacking Me? Modern smartphones rely on USB for charging, but the capabilities of this protocol extend well beyond the delivery of power and offer a wide range of functionality. Since USB provides for communication and charging over the same physical interface, the USB port on a smartphone is a direct gateway into the device. There has been a wealth of research done in the realm of hacking personal devices via USB charger. Some of this research focuses on specific vulnerabilities that may be exploited on particular mobile devices, while other research targets devices of users that choose to plug their devices into untrustworthy charging kiosks. In our project we built upon these research areas by determining the current state of protections against USB attacks on Android devices and developing an innocuous home USB charger that has the ability to install a malicious application on a victim device. In essence, our research is motivated by the question “Should you trust the device that charges your mobile phone?” We hypothesized that vulnerabilities exist which make it possible to, with a combination of hardware and software, steal user data from an Android device by way of its USB port. Given the existence of these vulnerabilities, we further hypothesized that an attacker can package this exploit in a malicious phone charger largely indistinguishable from a trustworthy charger and therefore very likely to mislead the attack’s victims. We tested our hypothesis by developing prototype hardware and software to exploit potential vulnerabilities on Android. We therefore kept the following questions in mind while progressing through our project:

What types of protections are currently in place to prevent USB-based attacks? Do previously documented USB-based attacks still work, and if not, can we adapt them to

current devices? What are the results of launching our attack(s) on various Android devices? Is it possible to package our attack(s) so that users will not question using our device?

References:

[1] Z. Wang and A. Stavrou, “Exploiting Smart-phone USB Connectivity for Fun and Profit,” in Proceedings of the 26th Annual Computer Security Applications Conference, ser. ACSAC ’10. New York, NY, USA: ACM, 2010, pp. 357–366, [Online]. Available: http://doi.acm.org/10.1145/1920261.1920314. Accessed on: September 16, 2016. [2] B. Krebs, “Beware of Juice-Jacking,” Aug. 2011, [Online]. Available: https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/. Accessed on: October 7, 2016. [3] Vidas, Timothy and Votipka, Daniel and Christin, Nicolas, “All Your Droid Are Belong to Us: A Survey of Current Android Attacks,” in Proceedings of the 5th USENIX Conference on Offensive Technologies, ser. WOOT’11. Berkeley, CA, USA: USENIX Association, 2011, pp.10–10, [Online]. Available: http://dl.acm.org/citation.cfm?id=2028052. 2028062. Accessed on: September 17, 2016. [4] A. F. L. Pereira, “USB connection vulnerabilities on Android smartphones,” 2014, [Online]. Available: https://sigarra.up.pt/feup/pt/pub_geral.show file?pi gdoc id=71852. Accessed on: September 20, 2016.

HypothesisA  combination  of  vulnerabilities  exists  which  makes  it  possible  to  steal  data  from  Android  devices  over  USB.

Goals• Design  attacks  that  evade  current  

Android  protection  mechanisms.• Package  attacks  within  innocuous  

form  factor  of  a  personal  USB  charging  device  so  users  implicitly  trust  the  device.

Embed  microcontroller  in  modified  USB  wall  charger  to  carry  out  our  attacks.  Exploit  lack  of  authentication  of  human  interface  devices  by  emulating  keyboard  over  modified  USB  On-­‐The-­‐Go  cable.

Attack  Method• Use  shortcut  keys  to  access  settings• Enable  applications  from  third-­‐party  markets• Download  malicious  application• Accept  permissions  without  user  interaction• Steal  device’s  contacts  and  send  to  attacker  

owned  remote  server  via  application

Problem  Statement and  Goals

Approach

Results

Is  My  Charger  Hacking  Me?Jennifer  Burns

Carnegie  Mellon  University

We  developed  a  prototype  that  takes  advantage  of  the  lack  of  authentication  of  human  interface  devices  (HIDs)  by  Android  devices  and  users’  implicit  trust  in  personal  charging  devices  to  steal  data  via  USB.

Potential  Defenses§ Implement  authentication  for  HIDs  – difficult  as  past  and  present  

HIDs  unable  to  provide  unspoofable means  for  authentication§ Consider  wireless  charging  methods§ Only  buy  USB  chargers  and  cables  from  trustworthy  vendors

Future  WorkCreate  different  charger  form  factors  and  attack  behaviors  to  increase  the  stealthiness of  our  prototype  and  attack.

Acknowledgements  -­‐ Fellow  team  members  Matthew  Bajzek and  Tor  Langehaug;  Dr.  Patrick  Tague;  Thomas  J.  Bajzek,  P.E.