Researchers at security firm Kaspersky Labs found that they could install a third-party application, like a virus, onto the phone via its USB cable connection to a computer. It took them under three minutes.
They also found that the Android and iOS phones tested leaked a host of private data to the computer they were connected to whilst charging, including the device name, device manufacturer, device type, serial number and even a list of files.
It's well known that public Wi-Fi connections are a security risk, as this iPhone-crashing bug showed, but USB connections to PCs are also a major vulnerability. This idea was proposed by hackers as a theory in 2014 but never proven. This new research shows this vulnerability is still open.
"The security risks here are obvious: if you’re a regular user, you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware. And, if you’re a decision-maker in a big company, you could easily become the target of professional hackers," said Alexey Komarov, researcher at Kaspersky Lab.
"And you don’t even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet."
Hackers have already exploited this connection: in 2013, Italian hackers known as "The Hacking Team" were able to infect a phone with malware through a computer connection.
They plotted the attack based on the device model of the victim, which the hackers managed to get through the USB-connected computer. "That would not have been as easy to achieve if smartphones did not automatically exchange data with a PC upon connecting to the USB port," Kaspersky Labs said.
How to protect yourself
- Only plug your phone into trusted computers, using trusted USB cables
- Protect your mobile phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging.
- Use encrypted apps like WhatsApp and iMessage to communicate
- Antiviruses can be a bore, but they help to detect malware even if a “charging” vulnerability is used.
- Update your mobile operating system to the most recent version, as that will have the most up-to-date bug fixes.