No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices

Spolaor, Riccardo; Abudahi, Laila; Moonsamy, Veelasha; Conti, Mauro; Poovendran, Radha

doi:10.1007/978-3-319-61204-1_5

Cited by 33 publications

(32 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For a targeted attack, an attacker may physically access the phone to fetch the malicious battery with the recorded power trace. Alternatively, the battery may manipulate the reported charge level to force the phone's owner to connect to a malicious charger, which in turn may relay the data to an outside attacker [30]. To trigger this behavior in a specific location equipped with malicious chargers, the battery may identify the browsing event to a gateway for connecting to a public hotspot.…”

Section: Fig 2 Microcontroller Inside the Battery Of Samsung Galaxy S4mentioning

confidence: 99%

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices

Lifshits

Forte

Hoshen

et al. 2018

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Mobile devices are equipped with increasingly smart batteries designed to provide responsiveness and extended lifetime. However, such smart batteries may present a threat to users’ privacy. We demonstrate that the phone’s power trace sampled from the battery at 1KHz holds enough information to recover a variety of sensitive information. We show techniques to infer characters typed on a touchscreen; to accurately recover browsing history in an open-world setup; and to reliably detect incoming calls, and the photo shots including their lighting conditions. Combined with a novel exfiltration technique that establishes a covert channel from the battery to a remote server via a web browser, these attacks turn the malicious battery into a stealthy surveillance device. We deconstruct the attack by analyzing its robustness to sampling rate and execution conditions. To find mitigations we identify the sources of the information leakage exploited by the attack. We discover that the GPU or DRAM power traces alone are sufficient to distinguish between different websites. However, the CPU and power-hungry peripherals such as a touchscreen are the primary sources of fine-grain information leakage. We consider and evaluate possible mitigation mechanisms, highlighting the challenges to defend against the attacks. In summary, our work shows the feasibility of the malicious battery and motivates further research into system and application-level defenses to fully mitigate this emerging threat.

show abstract

Section: Fig 2 Microcontroller Inside the Battery Of Samsung Galaxy S4mentioning

confidence: 99%

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices

Lifshits

Forte

Hoshen

et al. 2018

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…It achieves this by cutting off the data pins in the USB cable and allowing only the power pins to connect through. However, this solution does not work for certain charging attacks like PowerSnitch [37], which can leak information via analyzing power consumption.…”

Section: User Feedbackmentioning

confidence: 99%

“…where they presented Mactans, a malicious charger to launch charging attacks by injecting malware on an iOS6 device based on BeagleBoard during the charging process. Spolaor et al [37] then proposed PowerSnitch, a malicious application that can utilize power consumption to send out data over a USB charging cable to the public charging station. Since we are not sure that these charging facilities are not maliciously controlled by cyber-criminals including charging station developers, maintenance managers and Government agencies, there is a need to pay particular attention on charging vulnerabilities in public charging facilitates.…”

Section: Introductionmentioning

confidence: 99%

JFCGuard: Detecting juice filming charging attack via processor usage analysis on smartphones

Meng

Jiang

Wang

et al. 2018

Computers & Security

View full text Add to dashboard Cite

He received his B.Eng. degree in Computer Science from the Nanjing University of Posts and Telecommunications, China and obtained his Ph.D. degree in Computer Science from the City University of Hong Kong (CityU), Hong Kong in 2013. He was known as Yuxin Meng and prior to joining DTU, he worked as a research scientist in Infocomm Security (ICS) Department, Institute for Infocomm Research, Singapore, and as a senior research associate in CityU after graduation. He won the Outstanding Academic Performance Award during his doctoral study and won the HKIE Outstanding Paper Award for Young Engineers/Researchers in both 2014 and 2017. He is also a co-recipient of the Best Student Paper Award from the 10th International Conference on Network and System Security (NSS) in 2016. He is a member of Association for Computing Machinery (ACM) and IEEE. His primary research interests are cyber security and intelligent technology in security including intrusion detection, mobile security, biometric authentication, HCI security, cloud security, trust computation, and vulnerability analysis. He also shows a strong interest in applied cryptography. *The author was previously known as Yuxin Meng, and the work was finalized during a visit at Guangzhou University.

show abstract

“…The authors manipulated the charger to measure the current input to the phone and could reconstruct the leaked data stream by analysing the recorded power trace. In contrast to Spolaor et al [19], in this work we will not use any external devices to establish the covert channel but only rely on internal device measurements. Further, we will directly transfer data from one application to another within the device, which can leak the data later via conventional communication interfaces.…”

Section: Related Workmentioning

confidence: 99%

“…Using this map, the authors were able to reconstruct the movement trajectory of a mobile device by analysing the power trace. Spolaor et al [19] showed that it is possible to extract data from a charging phone by modulating the amount of power which is taken in via the charger, by changing the utilization of the mobile phones processor. The authors manipulated the charger to measure the current input to the phone and could reconstruct the leaked data stream by analysing the recorded power trace.…”

Section: Related Workmentioning

confidence: 99%

The security risks of power measurements in multicores

Miedl

Thiele

2018

Proceedings of the 33rd Annual ACM Symposium on Applied Computing

View full text Add to dashboard Cite

Two of the main goals of power management in modern multicore processors are reducing the average power dissipation and delivering the maximum performance up to the physical limits of the system, when demanded. To achieve these goals, hardware manufacturers and operating system providers include sophisticated power and performance management systems, which require detailed information about the current processor state. For example, Intel processors offer the possibility to measure the power dissipation of the processor. In this work, we are evaluating whether such power measurements can be used to establish a covert channel between two isolated applications on the same system; the power covert channel.We present a detailed theoretical and experimental evaluation of the power covert channel on two platforms based on Intel processors. Our theoretical analysis is based on detailed modelling and allows us to derive a channel capacity bound for each platform. Moreover, we conduct an extensive experimental study under controlled, yet realistic, conditions. Our study shows, that the platform dependent channel capacities are in the order of 2000 bps and that it is possible to achieve throughputs of up to 1000 bps with a bit error probability of less than 15%, using a simple implementation. This illustrates the potential of leaking sensitive information and breaking a systems security framework using a covert channel based on power measurements. CCS CONCEPTS• Security and privacy → Security in hardware; Operating systems security; KEYWORDS covert channel; power; capacity bound; empirical study ACM Reference Format:

show abstract

No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices

Cited by 33 publications

References 25 publications

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices

JFCGuard: Detecting juice filming charging attack via processor usage analysis on smartphones

The security risks of power measurements in multicores

Contact Info

Product

Resources

About