I have seen some recent press coverage generated especially by the security-software industry about the concept of USB-based charging devices stealing data from smartphones and tablets that normally charge from these devices. This issue was brought to public attention at the start of the World Cup 2014 where the fear that an increased number of travellers pouring in to Brazil for the soccer may be a breeding ground for threats to the safety of personal and business data kept on mobile devices owned by these visitors.
The devices that are being considered of concern are “walk-up” charging facilities installed in commonly-accessible places or made available for everyone to use. The concern was brought about with a laboratory experiment involving a small “homebrew” computer circuit connected to an iPhone running iOS 6 and this computer discovering the data on that device. They said that this device could be concealed in a box the size of a “wall-wart” or built in physically or logically to a “walk-up” charging facility. Here, the device could gain access to your data on an iPhone or iPad running iOS 6 or earlier because those earlier iterations of the iOS operating system don’t indicate in a user-facing manner what kind of host device you are connecting your mobile device to.
Android user are luckier because all of the iterations of that operating system indicate whether your mobile device is being plugged in to a computer device rather than a power-supply device and tell you how they are presenting themselves to the host device i.e. a “Media Transport Protocol” device, a “Picture Transport Protocol” device or a “Mass Storage” device. You have the ability to determine how your device presents itself by tapping on the “Connected as” message in the Notification Screen which will show the possible modes. As well, you will see the USB trident symbol in the Notification Bar at all times while the connection is active.
The “Media Transport Protocol” mode primarily exists to allow the host access to the media content on your device and may be exploited by entertainment setups like home AV devices, in-vehicle infotainment setups and airline in-flight entertainment screens for playback via the device’s screen and speakers or headphones. On the other hand, the “Picture Transport Protocol” mode allows access to the pictures and videos in the default folders on your device and is exploited by PictBridge-capable printers and printing kiosks for “walk-up” printing of digital pictures. As well, the “Mass Storage” device mode presents your device to the host as a USB “memory key”.
iOS users can protect themselves by bringing their iPhones, iPads and iPod Touches up to date with the latest version of that operating system. Here, iOS 7 and newer versions will pop up a dialog box asking whether the user trusts the computer device that they are plugging in to and if they don’t assent, the Apple connection port just becomes a power-and-audio port rather than a power-audio-data port.
Other suggestions to deal with this issue include properly shutting down your mobile device when letting it charge up at a public charging facility or someone else’s computer, or charging it from an AC charger or external battery pack that you own and bring with you. Even ideas like being frugal with the way you use your mobile gadgets in order to “spin out” their battery runtime like cutting back on multimedia or gaming, or turning off functions like Wi-Fi and Bluetooth unless you actually are using them have been put forward.
The main issue here is keeping your mobile devices on the latest version of their operating system and paying attention to situations where your mobile device identifies that what is ostensibly a charging device is infact a computer device and the host device doesn’t come clear on its functionality.
Personally, it could become the time for the USB specification and other host-peripheral connection specifications to be revised to factor in “privilege levels” and trust ecosystems when it comes to device connectivity. This could mean that a connection may only be a “battery charging / power delivery” connection unless a level of trust is established between both devices as regards their functionality and it could even just lead to a removal of the “plug-and-play” features of these systems.