Charging on a London bus? Here's how to stay secure
London buses will have USB ports for charging smartphones, which isn't the security threat it may sound
Stuck on a bus in London traffic is annoying enough without running short of charge on your smartphone.
But thanks to Mayor of London Sadiq Khan's new fleet of electric buses, London commuters on routes 507 and 521 will be able to recharge on the go, with twelve seats on each vehicle fitted with a USB port for charging.
Is it safe to use such power ports, though, or do they come with a security risk? We asked the experts whether it's a good idea to charge and ride. For once with security, it's good news.
If you plug your phone into a laptop to recharge, data can leak. "Whenever a person plugs his/her mobile device into a USB port for charging, there is an exchange of data between the device and the USB host, behind which there could be someone or something intent on monitoring the activity on the device, tracking a user's location or even infecting a phone with malware," noted Kaspersky Lab's principal security researcher David Emm.
However, USB ports can be used for both data and charging, and like airplane and other public ports, these are often only for power - and that significantly reduces the risk.
"As long as they are just USB chargers, there is not a security threat here," said Luis Corrons, PandaLabs technical director. "There have been shown attacks where you could hack a phone with a charger, but that implies having a specifically modified charger to do that, so risk is close to zero."
Physical tampering
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
If the physical port looks as though it's been tampered with, you may want to avoid using it, however. "If they are just chargers, as long as hardware is not tampered with - that's the only thing to be secured - there is no problem at all," Corrons added.
The charging hardware can be tampered with just like a bank machine. "Ports that are designed to only charge can have devices mounted on top, like a card skimmer on an ATM," said Sean Sullivan, security advisor at F-Secure.
Sullivan said he's not aware of any cases of malware spreading this way, but that doesn't mean hackers aren't trying. "If I recall the reporting correctly, airlines often need to clean malware off of inflight systems," he said. "But that's stuff that copied itself it didn't run so the malware 'spreads' but doesn't execute. I don't know of any cases of infections in-the-wild via USB connections."
Corrons agreed that there's been no attacks in the wild with public charging points, but said there's been limited proof-of-concept attacks. "If hypothetically speaking someone come up with a way to somehow write in the charger firmware, it could [develop] a malware to spread this way. Although in this case all chargers would be at risk, not just the public ones."
That said, USB malware does exist, and Emm pointed to previous cases where data has been stolen from mobile devices connected to PCs. "This technique was used in 2013 as part of the cyber-espionage campaign Red October," he noted. "The Hacking Team group also made use of a computer connection to load a mobile device with malware."
How to stay safe with public charging points
If that concerns you, there are security precautions you can take.
External power banks are a wise choice for anyone frequently short on charge - not least because you may not always have a bus to hand. "The popularity of Pokmon Go has resulted in lots of sales on Power Banks," said Sullivan. "I recommend buying one if you need power on the go."
And just as hackers can have hardware to attack recharging bus riders, we too can turn to physical protection, said Andrew Patel, senior manager of technology outreach at F-Secure. "This is what a USB condom is for."
Yes, that's actually a thing, and as with other areas of your life, it's smart to slap a condom on to stay protected. SyncStop is one example; it's a small widget that sits between your device and the charging USB port, preventing any data leakage.
They cost $5 for an uncased version, and $19 for a cleaner looking package; in the UK, there's a rival version on Amazon for about 5.
Kaspersky developed its own version called Pure.Charger, which stops data from being transfered to the charging device.
"The device is compact and lightweight, with an intuitive touch-screen interface that allows users to charge a mobile device while controlling the data transfer to and from the host," said Emm.
However, the Kickstarter project for it failed to meet its funding goal. Emm said it was "an experiment to attract the attention of a wider audience to the problem of unsafe charging and to see whether users are concerned about such threats and ready to adopt additional measures to protect their data."
It would appear most people aren't worried, and the other two experts we spoke to suggested that isn't foolish of them, and there's no reason to avoid bus USB ports if your smartphone is in need of a recharge.