In-depth

Charging on a London bus? Here's how to stay secure

London buses will have USB ports for charging smartphones, which isn't the security threat it may sound

Stuck on a bus in London traffic is annoying enough without running short of charge on your smartphone. 

But thanks to Mayor of London Sadiq Khan's new fleet of electric buses, London commuters on routes 507 and 521 will be able to recharge on the go, with twelve seats on each vehicle fitted with a USB port for charging. 

Advertisement - Article continues below

Is it safe to use such power ports, though, or do they come with a security risk? We asked the experts whether it's a good idea to charge and ride. For once with security, it's good news.

If you plug your phone into a laptop to recharge, data can leak. "Whenever a person plugs his/her mobile device into a USB port for charging, there is an exchange of data between the device and the USB host, behind which there could be someone or something intent on monitoring the activity on the device, tracking a user's location or even infecting a phone with malware," noted Kaspersky Lab's principal security researcher David Emm. 

However, USB ports can be used for both data and charging, and like airplane and other public ports, these are often only for power - and that significantly reduces the risk.

Advertisement
Advertisement - Article continues below

"As long as they are just USB chargers, there is not a security threat here," said Luis Corrons, PandaLabs technical director.  "There have been shown attacks where you could hack a phone with a charger, but that implies having a specifically modified charger to do that, so risk is close to zero."

Advertisement - Article continues below

Physical tampering

If the physical port looks as though it's been tampered with, you may want to avoid using it, however. "If they are just chargers, as long as hardware is not tampered with - that's the only thing to be secured - there is no problem at all," Corrons added.

The charging hardware can be tampered with just like a bank machine. "Ports that are designed to only charge can have devices mounted on top, like a card skimmer on an ATM," said Sean Sullivan, security advisor at F-Secure. 

Sullivan said he's not aware of any cases of malware spreading this way, but that doesn't mean hackers aren't trying. "If I recall the reporting correctly, airlines often need to clean malware off of inflight systems," he said. "But that's stuff that copied itself it didn't run so the malware 'spreads' but doesn't execute. I don't know of any cases of infections in-the-wild via USB connections."

Advertisement - Article continues below

Corrons agreed that there's been no attacks in the wild with public charging points, but said there's been limited proof-of-concept attacks. "If hypothetically speaking someone come up with a way to somehow write in the charger firmware, it could [develop] a malware to spread this way. Although in this case all chargers would be at risk, not just the public ones."

That said, USB malware does exist, and Emm pointed to previous cases where data has been stolen from mobile devices connected to PCs. "This technique was used in 2013 as part of the cyber-espionage campaign Red October," he noted. "The Hacking Team group also made use of a computer connection to load a mobile device with malware."

Advertisement
Advertisement - Article continues below

How to stay safe with public charging points

If that concerns you, there are security precautions you can take. 

External power banks are a wise choice for anyone frequently short on charge - not least because you may not always have a bus to hand. "The popularity of Pokmon Go has resulted in lots of sales on Power Banks," said Sullivan. "I recommend buying one if you need power on the go."

Advertisement - Article continues below

And just as hackers can have hardware to attack recharging bus riders, we too can turn to physical protection, said Andrew Patel, senior manager of technology outreach at F-Secure. "This is what a USB condom is for." 

Yes, that's actually a thing, and as with other areas of your life, it's smart to slap a condom on to stay protected. SyncStop is one example; it's a small widget that sits between your device and the charging USB port, preventing any data leakage. 

They cost $5 for an uncased version, and $19 for a cleaner looking package; in the UK, there's a rival version on Amazon for about 5

Kaspersky developed its own version called Pure.Charger, which stops data from being transfered to the charging device. 

"The device is compact and lightweight, with an intuitive touch-screen interface that allows users to charge a mobile device while controlling the data transfer to and from the host," said Emm. 

Advertisement - Article continues below

However, the Kickstarter project for it failed to meet its funding goal. Emm said it was "an experiment to attract the attention of a wider audience to the problem of unsafe charging and to see whether users are concerned about such threats and ready to adopt additional measures to protect their data." 

It would appear most people aren't worried, and the other two experts we spoke to suggested that isn't foolish of them, and there's no reason to avoid bus USB ports if your smartphone is in need of a recharge. 

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/policy-legislation/data-protection/356344/eu-institutions-warned-against-purchasing-any-further
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020
Visit/mobile/mobile-phones/356335/the-man-has-ruined-my-huawei-p40
Mobile Phones

The Man has ruined my Huawei P40

3 Jul 2020