When your phone starts complaining that its battery is running low, you probably wouldn't think twice about plugging it into a computer to charge it up.
But security experts claim that this simple act could be enough to get you hacked.
According to researchers at Kaspersky Lab, plugging your iPhone or Android smartphone into a computer results in a whole load of data being exchanged between the two devices.
This could include the phone's name, the manufacturer, the device type, the serial number, firmware information, the operating system information, the file system and the electronic chip ID.
The amount of data sent varies depending on the device and the host, but each smartphone transfers the same basic set of information - like device name, manufacturer and serial number.
While this information may seem fairly innocuous, it is enough for a hacker to break into a smartphone and take control, according to Kaspersky.
Using a regular PC and a standard micro USB cable, the researchers were able to silently install a "root application" on a test smartphone, amounting to a total compromise of the device.
This is not the first time theft of data from a mobile connected to a computer has been observed.
This technique was used in 2013 as part of the cyberespionage campaign Red October . The Hacking Team group also made use of a computer connection to load a mobile device with malware.
In both of these cases, the hackers found a way to exploit the supposedly safe data exchange between the smartphone and the PC it was connected to.
By checking the identification data received from the connected device, the hackers were able to discover what device model the victim was using and then use this information to tailor their attack.
This would not have been as easy to achieve if smartphones did not automatically exchange data with a PC upon connecting to the USB port.
"The security risks here are obvious: if you’re a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware," warns Alexey Komarov, researcher at Kaspersky Lab.
It you're worried about getting hacked in this way, Kaspersky Lab says there are several ways to protect yourself:
- Use only trusted USB charging points and computers to charge your device
- Protect your mobile phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging
- Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data
- Install some kind of antivirus software that is capable of detecting malware even if a "charging" vulnerability is used.
