Your Phone's Power Use Can Give Hackers an Opening
April 11, 2017
Experts have long known the risks associated with charging a smartphone using a USB cord that can also transfer data, but new research shows that even without data wires, hackers using a "side channel" can quickly find out what websites a user has visited while charging a device. In a recent paper published in IEEE Transactions on Information Forensics and Security, researchers warn that "a malicious charging station" can use seemingly unrelated data—in this case, a device's power consumption—to extract sensitive information.
As a walk through any airport will show, most people are happy to plug their phones into public charging stations, putting their phones at risk of "juice-jacking," when a compromised outlet steals data through a USB data cable. The new research looking at data theft through charging alone was conducted at New York Institute of Technology (NYIT) by Kiran Balagani (assistant professor, NYIT), Aydin Farajidavar (assistant professor, NYIT), Paolo Gasti (assistant professor, NYIT), Qing Yang (Ph.D. student, College of William and Mary), and Gang Zhou (associate professor, College of William and Mary); their work is the first to show that even without a data cable, hackers can analyze a device's power needs to get at users' private information, with speed and accuracy depending on a number of factors.
Gasti said the side-channel attacks were successful because "webpages have a signature that reflects the way they load and consume energy." The remaining power traces act as "signatures" and help hackers discover which sites have been visited.
The researchers conducted the study using power use signatures they had previously identified and tested the attack under various conditions. After collecting power traces via a range of smartphones browsing popular websites, researchers launched attacks and checked the accuracy with which their algorithms could determine which websites were visited while the phones were plugged in. Various factors such as battery charging level, browser cache enabled/disabled, taps on the screen, and Wi-Fi/LTE influenced the accuracy rate in tracing websites visited; some conditions, such as a fully charged battery, facilitate a fast and accurate penetration, while others, such as tapping the screen while a page is loading, lessen hackers' ability to determine what website is being viewed.
Regardless of the conditions, the important finding emerging from this work is that such an attack can indeed be carried out successfully. And in this study, the slower, less accurate attempts at penetration were still accurate within six seconds about half the time.
Gasti explained the significance of the research, saying, "Although this was an early study of power use signatures, it's very likely that information besides browsing activity can also be stolen via this side channel. Since public USB charging stations are so widely used, people need to be aware that there might be security issues with them. For example, informed users might choose not to browse the web while charging."
New York Institute of Technology (NYIT) offers 90 undergraduate, graduate, and professional degree programs in more than 50 fields of study, including computer science, data, and cybersecurity; biology and biomedical studies; architecture and design; engineering; health professions and medicine; IT and digital technologies; management; communications and marketing; education and counseling; and energy and sustainability. A nonprofit, independent, private, and nonsectarian institute of higher education, NYIT welcomes more than 9,000 students worldwide. The university has campuses in New York City (Manhattan) and Long Island (Old Westbury), New York; Jonesboro, Arkansas; and Vancouver, British Columbia, as well as programs around the world.
NYIT embraces its mission to provide career-oriented professional education, give all qualified students access to opportunity, and support research and scholarship that benefit the larger world. More than 100,000 NYIT alumni comprise an engaged network of doers, makers, and innovators prepared change the world, solve 21st-century challenges, and reinvent the future.
Karen Marie Belnap
Global Public Relations Strategist