Smartphones can be compromised when charged using a standard USB connection connected to a computer, Kaspersky Lab experts have discovered in a proof-of-concept experiment.
Have you ever wondered how safe your smartphone and data are when you connect the device to freely available charging points at airports, cafes, parks and public transport? Do you know what, and how much data your mobile device is exchanging with these points while it’s charging? Kaspersky Lab researchers became curious and conducted research to find the answers to these questions.
As part of this research, the company’s experts tested a number of smartphones running various versions of Android and iOS operating systems in order to understand what data the device transfers externally while connected to a PC or Mac for charging. The test results indicate that the mobiles reveal a whole litany of data to the computer during the ‘handshake’ (a process of introduction between the device and the PC/Mac it is connected to), including: the device name, device manufacturer, device type, serial number, firmware information, operating system information, file system/file list, electronic chip ID. The amount of data sent during the handshake varies depending on the device and the host, but each smartphone transfers the same basic set of information, like device name, manufacturer, serial number etc.
Now that smartphones almost always accompany their owner, the device serves as a unique identifier for any third party who might be interested in collecting such data for some subsequent use. But it wouldn’t be a problem if collecting a few unique identifiers was all that an attacker could do with a device connected to an unknown computer or charging device.
Back in 2014, a concept was presented at Black Hat that a mobile phone could be infected with malware simply by plugging it into a fake charging station. Now, two years after the original announcement, Kaspersky Lab experts have been able to successfully reproduce the result. Using just a regular PC and a standard micro USB cable, armed with a set of special commands (so-called AT-commands), they were able to re-flash a smartphone and silently install a root application on it. This amounts to a total compromise of the smartphone, even though no malware was used.
Although information about actual incidents involving fake charging stations has not been published, the theft of data from mobiles connected to a computer has been observed in the past. For example, this technique was used in 2013 as part of the cyberespionage campaign Red October. And the Hacking Team group also made use of a computer connection to load a mobile device with malware. Both of these threat actors found a way to exploit the supposedly safe initial data exchange between the smartphone and the PC it was connected to. By checking the identification data received from the connected device, the hackers were able to discover what device model the victim was using and to progress their attack with a specifically-chosen exploit. That would not have been as easy to achieve if smartphones did not automatically exchange data with a PC automatically upon connecting to the USB port.
“It is strange to see that nearly two years after the publication of a proof-of-concept demonstrating how a smartphone can be infected though the USB, the concept still works. The security risks here are obvious: if you’re a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware; and, if you’re a decision-maker in a big company, you could easily become the target of professional hackers,” warns Alexey Komarov, researcher at Kaspersky Lab. “And you don’t even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet,” he concludes.
In order to protect yourself from the risk of possible attack through unknown charging points and untrusted computers, Kaspersky Lab advises the following:
· Use only trusted USB charging points and computers to charge your device;
· Protect your mobile phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging;
· Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data;
· Protect both your mobile device and your PC/Mac from malware with the help of a proven security solution. This will help to detect malware even if a “charging” vulnerability is used.
Rain, Telkom Mobile, lead in affordable data
A new report by the telecoms regulator in South Africa reveal the true consumer champions in mobile data costs
The latest bi-annual tariff analysis report produced by the Independent Communications Authority of South Africa (ICASA) reveals that Telkom Mobile data costs for bundles are two-thirds lower than those of Vodacom and MTN. On the other hand, Rain is half the price again of Telkom.
The report focuses on the 163 tariff notifications lodged with ICASA during the period 1 July 2018 to 31 December 2018.
“It seeks to ensure that there is retail price transparency within the electronic communications sector, the purpose of which is to enable consumers to make an informed choice, in terms of tariff plan preferences and/or preferred service providers based on their different offerings,” said Icasa.
ICASA says it observed the competitiveness between licensees in terms of the number of promotions that were on offer in the market, with 31 promotions launched during the period.
The report shows that MTN and Vodacom charge the same prices for a 1GB and a 3GB data bundle at R149 and R299 respectively. On the other hand, Telkom Mobile charges (for similar-sized data bundles) R100 (1GB) and R201 (3GB). Cell C discontinued its 1GB bundle, which was replaced with a 1.5GB bundle offered at the same price as the replaced 1GB data bundle at R149.
Rain’s “One Plan Package” prepaid mobile data offering of R50 for a 1GB bundle remains the most affordable when compared to the offers from other MNOs (Mobile Network Operators) and MVNOs (Mobile Virtual Network Operators).
“This development should have a positive impact on customers’ pockets as they are paying less compared to similar data bundles and increases choice,” said Icasa.
The report also revealed that the cost of out-of-bundle data had halved at both MTN and Vodacom, from 99c per Megabyte a year ago to 49c per Megabyte in the first quarter of this year. This was still two thirds more expensive than Telkom Mobile, which has charged 29c per Megabyte throughout this period (see graph below).
Meanwhile, from having positioned itself as consumer champion in recent years, Cell C has fallen on hard times, image-wise: it is by far the most expensive mobile network for out-of-bundle data, at R1.10 per Megabyte. Its prices have not budged in the past year.
The report highlights the disparities between the haves and have-nots in the dramatically plummeting cost of data per Megabyte as one buys bigger and bigger bundles on a 30-day basis (see graph below).
For 20 Gigabyte bundles, all mobile operators are in effect charging 4c per Megabyte. Only at that level do costs come in at under Rain’s standard tariffs regardless of use.
Qualcomm wins 5G as Apple and Intel cave in
A flurry of announcements from three major tech players ushered in a new mobile chip landscape, wrItes ARTHUR GOLDSTUCK
Last week’s shock announcement by Intel that it was canning its 5G modem business leaves the American market wide open to Qualcomm, in the wake of the latter winning a bruising patent war with Apple.
Intel Corporation announced its intention to “exit the 5G smartphone modem business and complete an assessment of the opportunities for 4G and 5G modems in PCs, internet of things devices and other data-centric devices”.
Intel said it would also continue to invest in its 5G network infrastructure business, sharpening its focus on a market expected to be dominated by Huawei, Nokia and Ericsson.
Intel said it would continue to meet current customer commitments for its existing 4G smartphone modem product line, but did not expect to launch 5G modem products in the smartphone space, including those originally planned for launches in 2020. In other words, it would no longer be supplying chips for iPhones and iPads in competition with Qualcomm.
“We are very excited about the opportunity in 5G and the ‘cloudification’ of the network, but in the smartphone modem business it has become apparent that there is no clear path to profitability and positive returns,” said Intel CEO Bob Swan. “5G continues to be a strategic priority across Intel, and our team has developed a valuable portfolio of wireless products and intellectual property. We are assessing our options to realise the value we have created, including the opportunities in a wide variety of data-centric platforms and devices in a 5G world.”
The news came immediately after Qualcomm and Apple issued a joint announced of an agreement to dismiss all litigation between the two companies worldwide. The settlement includes a payment from Apple to Qualcomm, along with a six-year license agreement, and a multiyear chipset supply agreement.
Apple had previously accused Qualcomm of abusing its dominant position in modem chips for smartphones and charging excessive license fees. It ordered its contract manufacturers, first, to stop paying Qualcomm for the chips, and then to stop using the chips altogether, turning instead to Intel.
With Apple paying up and Intel pulling out, Qualcomm is suddenly in the pound seats. It shares hit their highest levels in five years after the announcements.
Qualcomm said in a statement: “As we lead the world to 5G, we envision this next big change in cellular technology spurring a new era of intelligent, connected devices and enabling new opportunities in connected cars, remote delivery of health care services, and the IoT — including smart cities, smart homes, and wearables. Qualcomm Incorporated includes our licensing business, QTL, and the vast majority of our patent portfolio.”
Meanwhile, Strategy Analytics released a report on the same day that showed Ericsson, Huawei and Nokia will lead the market in core 5G infrastructure, namely Radio Access Network (RAN) equipment, by 2023 as the 5G market takes off. Huawei is expected to have the edge as a result of the vast scale of the early 5G market in China and its long term steady investment in R&D. According to a report entitled “Comparison and 2023 5G Global Market Potential for leading 5G RAN Vendors – Ericsson, Huawei and Nokia”, two outliers, Samsung and ZTE, are expected to expand their global presence alongside emerging vendors as competition heats up.