iPhones and Android smartphones vulnerable to new “video jacking” through free charging stations
Aries Security, a cyber-security company, claims that every major smartphone such as the iPhones, Samsung Galaxy and Google’s Nexus when plugged into public charging stations are vulnerable to the hacking threat called “video jacking.”
According to security experts, many airports, convention centers and public places that offer free charging stations, complete with different cables to charge a variety of smartphones are vulnerable to hacking, as hackers could rig those stations to watch every move you make while connected to the charging station.
“You go into your online banking application to take a photo of a check, well, that’s recorded. … When you connect to your contacts, all of that is recorded. If you do an e-mail or a text, everything on the screen is 100 percent recorded,” said Brian Markus, CEO of cyber-security company Aries Security who discovered the threat along with colleagues.
So, what is video jacking? In this kind of attack, custom electronics hidden inside are used which appears to be a USB charging station. The moment a vulnerable smartphone is connected to the appropriate USB charging cord, the spy machine splits the smartphone’s video display and records a video of everything you tap, type or view on it as long as it’s plugged in — including account numbers, passwords, PINs, texts, emails, pictures and videos.
“From the moment that you plug in that cable to the moment that you unplug, that cable is exposed and recorded,” Brian Markus, CEO of Aries Security, told CNBC.
The CEO of Aries Security who discovered the threat along with colleagues describes video jacking this way, “You go into your online banking application to take a photo of a check, well, that’s recorded. … When you connect to your contacts, all of that is recorded. If you do an e-mail or a text, everything on the screen is 100 percent recorded.”
How does video jacking work?
According to Markus, video jacking takes place when an iPhone, Samsung Galaxy or Google phone is charged in a rigged public charging station. All the hacker needs to do is hide an HDMI [high-definition multimedia interface] splitter and recorder in the charging station.
An HDMI cable is a widely available smartphone accessory that allows images from a phone to be projected onto a TV screen.
Once a smartphone is plugged in, the charging station uses the built-in HDMI to secretly record everything that the user does on the smartphone without his or her knowledge.
With the HDMI cable, Markus said, “There’s no security prompting asking the user if they’re sure that they want to allow this to go out.”
Usually, the HDMI is automatically enabled on smartphones.
Just by looking at automatically enabled features, Markus and his team learnt about the threat and identified the possible vulnerability.
To test the threat, Markus made a sample charging station rigged with HDMI using parts readily available online.
Markus demonstrated the charging station using an iPhone, Samsung Galaxy smartphone and a Google smartphone and presented the results to CNBC.
Google declined to comment and Apple and Samsung did not respond to CNBC’s request.
Markus said he presented his results to raise awareness.
“One thing that I’m very sure of is if I don’t think of something and I don’t talk about it publicly, somebody else will, and it’s much safer for us to expose these risks,” he said.
To prevent possible attacks through unknown charging points, Kaspersky advises smartphone users to exercise the following:
• Use only trusted USB charging points
• Protect your mobile phone with a password, or with another method such as fingerprint authentication, and never unlock it while charging
• Use encryption technologies and secure containers
Better yet, bring your own charger.