The Nigerian Communications Commission (NCC) has alerted Nigerians of new tricks that hackers engage to gain access to mobile phones if you charge them in public places.
The commission, through its Cyber Security Incident Response Team, CSIRT, said hackers have devised two specific tricks to carry out such attacks.
According to NCC, the two tricks include Juice Jacking and Facebook Android Friend Acceptance Vulnerabilities.
While Juice Jacking can affect all phone brands including iPhones and Android devices, Facebook Android Friend acceptance targets only android devices.
Juice jacking attacks can take the forms of data theft, multi-device attacks, Malware installation, lock-out or hijack attack, etc.
Giving the warning to Nigerians, NCC’s Director of Public Affairs, Ikechukwu Adinde, urged Nigerians to avoid charging their devices in public places.
According to him, Nigerian phone users must be wary of public charging ports in areas such as airports, restaurants, shopping malls and public trains.
ALSO READ: Meta Privacy Centre; Check How Your Data Is Collected And Managed
Keep in mind that many commercial buses, trains, restaurants and malls offer free wifi and charging ports to customers.
The NCC director said, “An attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations.
“Once unsuspecting persons plug their phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone,” he said.
What Is Juice Jacking?
NCC said cyber attackers can gain unauthorized access into your smartphone and steal your private information through Juice Jacking.
Juice Jacking is a form of attack that compromises a person’s mobile devices like phones and tablets using USB cables and charging ports.
It allows intruders to copy sensitive data from your mobile devices.
They can steal your passwords, bank card pins, files, contacts, texts and pictures and videos.
How Juice Jacking works:
Hackers Juice-Jack your device by using a USB connection to load malware directly onto the charging station or charging port.
Also, such attacker can equally infect a connection cable (USB) and leave it plugged in to light.
Their target is usually with the hope that an unsuspecting person will come along and use the ‘forgotten’ cable.
When the person uses the “forgotten cable” to charge their devices, the hacker gains access into their devices and launch attacks.
With this access, the hacker can watch or monitor the phone owner in real life without their knowledge.
The second trick is using Facebook friend request acceptance.
Facebook Android Friend Acceptance:
NCC warns that Facebook for Android is vulnerable to a permission issue.
This method of attack allows the hacker or intruder with physical access to your android device.
The hacker then accepts friend requests with your device without unlocking it phone.
Also, the attacker will have the access to add you or other victims as a friend and steal your private information.
They can steal your Email, Date of Birth, Check-ins, contact lists, Address, Pictures and other sensitive information.
Versions of Android Devices at risk:
NCC said products affected include Versions 329.0.0.29.120 of Android OS.
How to protect yourself from Juice Jacking Facebook fake Friend Acceptance:
The commission advised phone users must avoid charging their devices at public charging stations.
For the Facebook acceptance trick, NCC recommends users to deactivate the feature from their device’s lock screen notification settings.
Meanwhile, NCC’s full report reads thus:
The statement read in part, “The CSIRT, in its first-ever security advisories less than three months after its creation, has solely identified the two cyber-attacks targeting the consumers and proffer solutions that can help telecom consumers from falling victims to the two cyber vulnerabilities.
“The first is described as Juice Jacking, which can gain access into consumers’ devices when charging mobile phones at public charging stations and it applies to all mobile phones. The other is a Facebook for Android Friend Acceptance Vulnerability, which targets only Android Operating System.
“According to CSIRT security Advisory 0001 released on January 26, 2022, with Juice Jacking, attackers have found a new way to gain unauthorised entry into unsuspecting mobile phone users devices when they charge their mobile phones at public charging stations.
“Many public spaces, restaurants, malls and even in the public trains do offer complementary services to their customers in a bid to enhance customer services, one of which is providing charging ports or sockets.
“However, an attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations.
“Once unsuspecting persons plug their phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone. This payload then gives the attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, or audio using the microphone. The attacker can even watch the victim in real time if the victims’ camera is not covered. The attacker is also given full access to the gallery and also to the phone’s Global Positioning System (GPS) location.
“When an attacker gains access to a user’s Mobile phone, he gets remote access to the User’s phone which leads to breach in Confidentiality, Violation of Data Integrity and bypass of Authentication Mechanisms. Symptoms of attack may include sudden spike in battery consumption, device operating slower than usual, apps taking a long time to load, and when they load they crash frequently and cause abnormal data usage.”
“Other preventive measures against Juice Jacking include installing Antivirus and updating them to the latest definitions always; keeping mobile devices up to date with the latest patches; using one’s own power bank; keeping mobile phone off when charging in public places; as well as ensuring use of one’s own charger, if one must charge in public.
“On the other hand, the NCC-CSIRT Advisory 0001 of January 27, 2022, warns that Facebook for Android is vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone. The products affected include Versions 329.0.0.29.120 of Android OS.
“With this, the attacker will be able to add the victim as a friend and collect personal information of the victim, such as Email, Date of Birth, Check-ins, Mobile phone number, Address, Pictures and other information that the victim may have shared, which would only be visible to his/her friends.
“However, to be protected from the Facebook-associated vulnerability, NCC-CSIRT in the security advisory recommends to users to disable the feature from their device’s lock screen notification settings.
“The NCC-CSIRT was inaugurated in October, 2021 to provide guidance and direction for the constituents in dealing with issues relating to the security of critical infrastructure in their possession, and periodically assess, review and collate the threat landscape, risks, and opportunities affecting the communications sector, in order to provide advice to relevant stakeholders in those regards.
“As the telecoms-industry specific intervention, the objective of which aligns with the objective of the National Cybersecurity Policy and Strategy (NCPS) document published by the Office of the National Security Adviser (ONSA), the NCC-CSIRT ensures continuous improvement of processes and communication frameworks to guarantee secure and collaborative exchange of timely information while responding to cyber threats within the sector.
“In recent times, NCC-CSIRT has raised series of cyber-vulnerability awareness based on security advisories it receives from the Nigerian Cybersecurity Emergency Response Team (ngCERT), which is the national body for the implementation of the NCPS objective. However, Juice Jacking and Facebook for Android Friend Acceptance Vulnerabilities are the two first-ever cyber vulnerabilities published by the NCC-CSIRT.”
Found this interesting? Share!