No Free Charge Theorem: a Covert Channel via USB Charging Cable on Mobile Devices

TL;DR

This paper demonstrates a novel covert channel attack where malicious charging stations can exfiltrate data from smartphones via USB cables without data transfer, exploiting energy consumption patterns.

Contribution

It introduces the first known method of data exfiltration through a malicious charging station using USB power lines without data transfer permissions.

Findings

Feasibility of data exfiltration via power lines demonstrated

Android prototype successfully leaks sensitive data

Attack does not require user permissions or data transfer mode

Abstract

More and more people are regularly using mobile and battery-powered handsets, such as smartphones and tablets. At the same time, thanks to the technological innovation and to the high user demands, those devices are integrating extensive functionalities and developers are writing battery-draining apps, which results in a surge of energy consumption of these devices. This scenario leads many people to often look for opportunities to charge their devices at public charging stations: the presence of such stations is already prominent around public areas such as hotels, shopping malls, airports, gyms and museums, and is expected to significantly grow in the future. While most of the time the power comes for free, there is no guarantee that the charging station is not maliciously controlled by an adversary, with the intention to exfiltrate data from the devices that are connected to it. In this paper, we illustrate for the first time how an adversary could leverage a maliciously controlled charging station to exfiltrate data from the smartphone via a USB charging cable (i.e., without using the data transfer functionality), controlling a simple app running on the device, and without requiring any permission to be granted by the user to send data out of the device. We show the feasibility of the proposed attack through a prototype implementation in Android, which is able to send out potentially sensitive information, such as IMEI, contacts' phone number, and pictures.