OK – this one is simple. Just like you wouldn’t trust anyone with your passwords, don’t trust any machine or device that you don’t explicitly own. A little background…
I was traveling this past week for business and I happened upon a machine billed as a ‘rapid charger’ for your mobile device. I took notice of the 12 cables of varying connectors protruding from the front of it and thought to myself, “Hmm… I wonder what they’re connected to on the other side?” And as I was completing that thought I immediately jumped to, “Nope – I wouldn’t trust this thing even if I had no other charging option.” (I also took notice of all of the people camped out on the floor and at different coffee shops plugged into wall outlets.)
You see, to reduce the cost of mobile devices and probably enhance/simplify their design, manufacturers have resorted to only having a single port (in the vast majority of devices) and use that port for both data transfer and power management. That’s OK – if you trust what plugs into the other end of that cable. This is just the latest example of the never ending battle between security and convenience.
There are many flavors of software available that can be used to ‘sniff traffic’ – that is, listen to the information passed between two devices. Anyone can buy a small Raspberry Pi or Arduino-like device for a few dollars and install this software. If you unknowingly connect your phone to a device like this your data can be compromised. Here is an example of a keylogging device via USB that detects when a username/password combo is entered and sends that info wirelessly to a listening cellphone.
A recent publicly announced hack called BadUSB aims at reprogramming USB connected devices and turning them into evil agents. Basically what it does is take advantage of the simple vulnerability in the USB hardware – specifically, that it doesn’t contain protections from being reprogrammed. When you connect a device to a computer running this software your device is effectively owned and according to the BadUSB site, “can never be trusted again.”
The bottom line is you should not trust any device that you don’t own. Even a friend’s computer could have a malicious agent running on it waiting for a new victim. It’s a scary world out there. Be smart… stay safe… trust no one but yourself.
