Video jackers can mirror phone screens on larger screens using USB charging stations
People use their phones to do all kinds of tasks today: pay bills, make purchases, check the score of the game. But those who use USB charging stations may want to think twice before checking off the first two items on that list. Security researchers have discovered a way to hack into smartphones using USB stations and view and record everything that is displayed on the screen.
Many people do not realize that their smartphones possess the ability to mirror their screens on a larger screen, just like a computer monitor. It is this capability that hackers can exploit through a method the researchers have dubbed "video jacking."
"Once a vulnerable phone is attached to the USB charging station, the spy machine hidden inside the station splits the video display and records everything you enter on the screen as long as it's plugged in," says Consumerist. "That means the PIN you use to unlock your phone, account numbers, texts, videos, pictures, the snarky comment you made on your friend's duck-face selfie on Instagram, etc."
Many of the phones at risk cannot tell the difference between a USB cord that is only charging the phone and a cord that is using the phone's mirroring ability, reports Brian Krebs of security blog KrebsOnSecurity. Nor, said Brian Markus, co-founder and CEO of Aries Security and one of the researchers who discovered the flaw, is there usually any kind of warning or alert given by the phone that video of its screen is being conveyed elsewhere.
"All of those phones have an HDMI access feature that is turned on by default," he told Krebs. "A few HDMI-ready phones will briefly flash something like 'HDMI Connected' whenever they're plugged into a power connection that is also drawing on the HDMI feature, but most will display no warning at all. This worked on all the phones we tested with no prompting."
Krebs reports that the smartphones that are vulnerable to being video jacked are Andriod or other HDMI-ready models from brands including Asus, Blackberry, HTC, LG, Samsung, and ZTE. He also provided two lists of affected phones (here and here) although neither list is exhaustive. Markus was also able to video jack an iPhone using a special lightning digital AV adapter obtained from Apple.
Although Krebs considers it unlikely that most people would have reason to fear their smartphone being video jacked, he nevertheless recommends carrying an extra charging dock during travel, using a USB charger equipped with a regular AC/DC power plug and a female USB port, and checking the settings on the phone to see if it will allow the user to disable screen mirroring.