Don’t charge phones in trains, restaurants, NCC warns

The Nigerian Communications Commission has warned against charging mobile phones using public charging ports or sockets in order to protect them from cyberattacks.

It also cautioned against accepting charging cables or chargers from strangers in public places.

The NCC stated this through its Cyber Security Incident Response Team, in its first-ever security advisories less than three months after its creation, raising the alarm over the newly identified two cyberattacks, Juice Jacking and Facebook for Android Friend Acceptance Vulnerability.

A statement by the NCC Friday said Juice Jacking can gain access into consumers’ devices when charging mobile phones at public charging stations and applies to all mobile phones.

It added that the Facebook for Android Friend Acceptance Vulnerability targets only Android Operating System.

Many public spaces, restaurants, malls, and even public trains do offer complementary services to their customers in a bid to enhance customer services, one of which is providing charging ports or sockets.

However, an attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations.

NCC said, “Once unsuspecting persons plug their phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone.

“This payload then gives the attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, or audio using the microphone.

“The attacker can even watch the victim in real time if the victims’ camera is not covered.

“The attacker is also given full access to the gallery and also to the phone’s Global Positioning System (GPS) location.

It said when an attacker gains access to a user’s mobile phone, he would get remote access to the user’s phone which would lead to a breach in confidentiality, violation of data integrity, and bypass of authentication mechanisms.

The NCC said symptoms of attack may include a sudden spike in battery consumption, devices operating slower than usual, apps taking a long time to load, and when they load they crash frequently and cause abnormal data usage.

The NCC-CSIRT, however, proffered solutions to this attack to include using ‘charging only USB cable’, to avoid Universal Serial Bus (USB) data connection; using one’s AC charging adaptor in public space, and not granting trust to portable devices prompt for USB data connection.

Other preventive measures against Juice Jacking include installing Antivirus and updating them to the latest definitions always; keeping mobile devices up to date with the latest patches; using one’s own power bank; keeping the mobile phone off when charging in public places; as well as ensuring use of one’s own charger if one must charge in public.

 

On the other hand, the NCC-CSIRT Advisory 0001 of January 27 warns that Facebook for Android is vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone.

 

With this, the attacker will be able to add the victim as a friend and collect personal information of the victim, such as email, date of birth, check-ins, mobile phone number, address, pictures and other information that the victim may have shared, which would only be visible to his/her friends.

 

However, to be protected from the Facebook-associated vulnerability, NCC-CSIRT in the security advisory recommended to users to disable the feature from their device’s lock screen notification settings.