The Nigerian Communications Commission’s Cyber Security Incident Response Team (NCC-CSIRT) has alerted the public on some methods by which cyber attackers can gain access to their mobile phones while the device is being charged at public charging stations.
The agency identified the first method as Juice Jacking, and another as Facebook for Android Friend Acceptance Vulnerability, which targets only Android Operating System.
These were disclosed in a statement titled ‘NCC-CSIRT Identifies Two Cyber Vulnerabilities,’ and signed by the Director, Public Affairs, Dr Ikechukwu Adinde.
The statement expressed that Juice Jacking attackers have found a new way to gain unauthorised entry into unsuspecting mobile phone users’ devices when they charge their mobile phones at public charging stations.
It further stated that an attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations
Once an unsuspecting person plugs his or her phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone. This payload then gives the attacker remote access to the mobile phone, thereby allowing them to monitor data transmitted as text, or audio using the microphone. The attacker can even watch the victim in real time if the victim’s camera is not covered. The attacker is also given full access to the gallery and also to the phone’s Global Positioning System (GPS) location, the statement revealed.
The statement revealed further that when an attacker gains access to a user’s Mobile phone, he gets remote access to the User’s phone which leads to breach in Confidentiality, Violation of Data Integrity and bypass of Authentication Mechanisms. Symptoms of attack may include sudden spike in battery consumption, device operating slower than usual, apps taking a long time to load, and when they load they crash frequently and cause abnormal data usage.
The NCC-CSIRT, however, proffered solutions to the threat by suggesting that mobile phone users use ‘charging only USB cable’ to avoid Universal Serial Bus (USB) data connection; using one’s AC charging adaptor in public space; and not granting trust to portable devices prompt for USB data connection.
Further preventive measures against Juice Jacking attackers, according to the statement, include installing Antivirus and updating them to the latest definitions always; keeping mobile devices up to date with the latest patches; using one’s own power bank; keeping mobile phones off when charging in public places; as well as ensuring the use of one’s own charger, if one must charge in public.
The NCC-CSIRT Advisory 0001 of January 27, 2022, also warns that Facebook for Android is vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone. The products affected include Versions 329.0.0.29.120 of Android OS.
The statement revealed that with this, the attacker will be able to add the victim as a friend and collect the victim’s personal information such as Email, Date of Birth, Check-ins, Mobile phone number, Address, Pictures, and other information that the victim may have shared on Facebook, which would only be visible to his/her friends.
NCC-CSIRT in the security advisory, therefore, recommends that users disable the feature from their device’s lock screen notification settings.
The NCC-CSIRT was inaugurated in October, 2021 to provide guidance and direction for dealing with issues relating to the security of critical infrastructure, and periodically assess, review and collate the threats, risks, and opportunities affecting the communications sector.
