By. Suzanne Rowan Kelleher
We’ve all been there. Your smartphone or tablet is low on power and you’ve left your charging cable at home. There’s no harm in borrowing one from a fellow passenger in the airport departure lounge or from your hotel’s front desk clerk, right?
In 2019, that would be a huge mistake, say cybersecurity experts.
“There are certain things in life that you just don’t borrow,” says Charles Henderson, Global Managing Partner and Head of X-Force Red at IBM Security. “If you were on a trip and realized you forgot to pack underwear, you wouldn’t ask all your co-travelers if you could borrow their underwear. You’d go to a store and buy new underwear.”
Henderson runs a team of hackers that clients hire to break into their computer systems in order to expose vulnerabilities. Since cyberhackers have figured out how to implant charging cables with malware that can remotely hijack devices and computers, his team sometimes uses a trick to teach clients to be less trusting of third-party charging cables. “We might send somebody a swag iPhone cable in the mail. Maybe we have it branded as something innocuous, like a vendor or a partner that they have listed on their website. We send off the cable and see if the person plugs it in,” he says.
Last week, at the annual DEF CON Hacking Conference in Las Vegas — “hacker summer camp,” says Henderson — a hacker who goes by “MG” demonstrated an iPhone lightning cable that he had modified. After using the cable to connect an iPod to a Mac computer, MG remotely accessed the cable’s IP address and took control of the Mac, as Vice reported in play-by-play fashion. MG noted that he could later remotely “kill” the implanted malware and wipe out all evidence of its existence. The enterprising hacker had a stash of so-called O.MG cables that he was selling for $200 apiece.
Malicious charging cables aren’t a widespread threat at this time, says Henderson, “Mainly because this kind of attack doesn’t scale real well, so if you saw it, it would be a very targeted attack.”
“But just because we haven’t yet seen a widespread attack doesn’t mean we won’t see it, because it certainly does work,” says Henderson. “The technology is really small and really cheap. It can get so small that it looks like an ordinary cable but has the capability and the intelligence to plant malware on its victim. These things are only going to get cheaper to produce and it’s not something your average consumer is going to be tracking to know when it becomes viable on a mass scale.”
For the moment, Henderson says, a bigger threat than malicious charging cables is USB charging stations you see in public places like airports. “We’ve seen a couple of instances where people modified charging stations. I’m not talking about an electrical outlet, I’m talking about when there’s a USB port on a charging station.”
“Being careful about what you plug into your devices is just good tech hygiene,” says Henderson. “Think of it in the same way that you think about opening mail attachments or sharing passwords. In a computing context, sharing cables is like sharing your password, because that’s the level of access you’re crucially conveying with these types of technology.”
Many travelers know that, in a pinch, the hotel front desk will often have a drawer of charging cables that were left behind by guests.
Don’t be tempted, says Henderson. “If the front desk had a drawerful of underwear, would you wear those?”