In more and more public places there are USB ports to charge the mobile or the laptop battery. In the subway, buses or airports we find options to recharge, however, experts warn of the risks of connecting to them and remember how to protect yourself. In fact, until the National Police has drawn attention to this risk in one of its campaigns to make people wary.
Why are public USB ports not secure?
“The power charge travels through a USB port, but data also travels,” says Helena Rifà, director of the master’s degree in cybersecurity and privacy at the Universitat Oberta de Catalunya (UOC). Therefore, when you connect to a public USB port with the intention of charging the battery of your mobile, you are actually connecting to a plug through which pass both data and load.
Rifà explains that the risk is that “someone exploits this weakness to put a fake plug that is barely noticeable and extract data from users’ mobile phones.” You could steal data that you have on your mobile at that moment or even introduce some software malicious that steals information from you about what you do and write (such as passwords) and sends it via Wi-Fi to an external server, warns this expert.
A public USB port itself is not dangerous, since when doing the public work it is monitored that it is well done. “The danger comes when someone manipulates it later, as is done with ATMs,” says Rifà.
Can you detect if a USB port has been tampered with?
It is very difficult to detect tampering with charging stations, but sometimes you can. Rifà explains that one way to steal our data is “to put a fake charger on top of another with a small Wi-Fi antenna that sends the data to an external server, so if we see that something strange is sticking out of the USB port, it is better to be cautious.”
If you use a public USB port, select the “charge only” option on your mobile
The probability of having your mobile data stolen by charging in a public USB port when you connect is not that high. It must be a manipulated port and, furthermore, “in current mobiles, when you connect them, you get a pop-up asking you if you want to give your permission to transfer data or just charge the drums”, recalls Rifà. This is already good protection.
The risk is that many times when we use the mobile we are distracted and in a hurry and we can accept pop-ups without thinking. That’s why it’s important to know the dangers and be cautious.
Rifà: “People are not aware of the risk of connecting a USB”
The expert believes that “this possible source of attacks on security and privacy (from public USB ports) is a serious problem, especially considering that most people are unaware of the risk of USBs, but since there have been no mass attacks that have made the news, it is not perceive the real risk.
Rifà remembers a experiment conducted on a college campus by researchers from Google and the Universities of Illinois and Michigan in which 297 USB memory sticks were left scattered throughout campus, and the result was that 135 people connected the ones they found to their computers, which showed that almost 50% of the students did not perceive the risk involved in such an action.
What can we do to protect ourselves?
To avoid the risks that can come from public USB ports, Rifà recommends the following:
- charge mobile devices in power outlets with a USB power adapter that we bring ourselves.
- Use USB sockets in public spaces to charge usb portable batteries. Once we have a full battery, we can safely charge our electronic devices with it.
- Use charge-only usb cables. These cables can be purchased, but we can also convert a USB 2.0 cable we have at home into a charging-only cable ourselves. A USB cable has four wires, and only the middle two carry data, since the outer two pins are the ones that provide the five-volt power supply. Thus, we can turn a USB cable into a charge-only cable if we disable the inner pins (the two in the middle) of the connector by putting an adhesive tape on top, for example.
- Use what is known as condones USB. These are small devices that plug into any USB socket and have their data pins disabled. This allows the device to receive power, but nothing else.
Fuentes
Helena Rifà, director of the master’s degree in cybersecurity and privacy at the Open University of Catalonia (UOC)