Reset

Hackers Can Use USB Devices to Infiltrate Businesses Through Backdoor

November 19, 2019

Hikvision HikWire blog article USB Backdoor hackers

Hikvision Covers Data Exploit Data Using Juice-Jacking

 

In the piece, “The giveaway that gives your data away: Innocent looking USB devices can be the backdoors hackers need to infiltrate your business,” SecurityInfoWatch.com (SIW) covers a lesser known threat—plugging into an unknown USB drive—as a method used by hackers, also referred to as juice-jacking.

From the SIW article: “According to Kaspersky Labs, human vulnerabilities account for at least half of cybersecurity incidents. Human beings have multiple weaknesses, and one of the most common is the fact that we all like gifts. One needs only to walk the floor in various events and see the overwhelming wealth of giveaways that are offered to people who are willing to pause for a minute and grab a shirt/power bank/NERF gun or any other eye-catching gift. So, if you are a highly sophisticated crime organization targeting a certain bank, what would be better than arranging a promo in a nearby coffee-shop where most of the employees enjoy their coffee and offer them a free USB cup warmer?”

Hikvision’s cybersecurity director, Chuck Davis, outlines more details about data exploits using juice-jacking in the Hikvision blog, “Hikvision Cybersecurity Director Presents Pro Tips to Reduce Security Concerns Related to Juice-Jacking: Trading Your Data for Power.” An excerpt from the blog:

“Juice-jacking happens when someone connects their mobile device to a USB charging station that charges the device, but has also been modified to copy data from the mobile device, like photos and text messages, or infect the device with malware. This is possible because USB cables provide both charging and data transfer capabilities. When plugging a mobile device into a computer for charging, an application like iTunes generally pops up, the same way it does when you plug in an iPhone into a computer. This is because the computer recognizes the mobile device and is offering to back up the data from that device.”

Davis also offers the following pro tips to avoid becoming a victim of juice-jacking:

  1. Travel with your own USB power adapter, preferably the one that came with your mobile device. This will ensure that only power is going to your mobile device.
     
  2. Buy a USB data blocker. This device protects against untrusted USB ports because it only allows power to pass through to the mobile device. Are you skeptical? Good! Try it out between your phone and laptop. You'll see that nothing pops up to offer a backup of your phone’s data. There are a number of companies online that sell inexpensive data blockers.
     
  3. Buy a data blocking cable. Again, these are inexpensive and can be found online. With so many people backing up mobile devices to the cloud, you may not even need a normal cable that allows data transfer anymore.
     
  4. Another safe option for charging more modern mobile devices is to use a wireless charging pad since these only provide power to your device.
     
  5. Don't use untrusted cables. While this example doesn't infect or steal data from a mobile device, here is a video of Kevin Mitnick demonstrating a malicious cable that can install malware on your computer when you use it to charge your phone.

For other tips to address security concerns, view Hikvision’s catalog of cybersecurity blogs.

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).