The Daily Q: Could new taxi USB chargers put your phone's data at risk?

The Daily Q: Could new taxi USB chargers put your phone’s data at risk?

Posted April 9, 2012 By Michael Keller

Last week, the New York City Taxi and Limousine Corporation unveiled the Taxi of Tomorrow. It features biker-friendly sliding doors, anti-microbial seats and, to much acclaim, a power outlet and two USB ports to charge electronics.

But how safe is it to connect your phone via USB to any old port in a cab? After all, smartphone USB cables often double as data transfer cables, which can download an entirety of your phone’s data to whatever source is on the other end. It’s also well-known that some computer viruses are designed to travel via infected USB flash drives.

The New York World wants to know: Could new taxi USB chargers put your phone’s data at risk?

If you have information or insights to share, write us, tweet @thenyworld or comment below.

What we found

While the practice of “juice-jacking” is rare in the wild, a group of researchers at the 2011 DefCon cyber security conference showed it was possible to create a fake mobile charging station that steals user data. The group, headed by Brian Markus, president of Aries Security, outfitted an innocuous-looking public charging station with software capable of downloading a connected smartphone’s datastore through its USB connection. This particular charging station only showed a warning message, since its goal was to increase cybersecurity awareness. But in total, at least 360 security-conscious attendees were tricked to let their guards down and connect their devices.

How could security-cracking code infect a Taxi of Tomorrow? A few different ways, depending on how much access the malicious party has to the taxi’s hardware and how the taxi’s electronics are configured.

“It would be very easy for someone to put a small laptop in the front seat of the taxi,” said Markus, “put in a fake USB charging port and people would plug in to that instead of the manufacturer’s.” At that point, the malicious party could download a passenger’s phone data or deliver a virus.

“It’s very easy to tap into a USB port,” Markus noted. “There’s only four wires so you can cut it, splice into it, or you could replace it. There are a number of things somebody with malicious intent could do.”

With access to a plugged-in device, simply downloading someone’s data would be the easiest ploy, noted Jacob Olcott, cyber security expert and Principal at Good Harbor Consulting. “In this case, the person has already taken the first step by initiating contact,” he said. “They are the ones that plug in.”

To retrieve the data, the person would need to have repeated access to the taxi or else install some type of wireless transmission device.

Now, this is all hypothetical. The vehicle is still under development, and the hardware design will have much to do with how secure the ports are. Nissan includes USB ports in other vehicles, and in an email statement about the new taxi fleet told The New York World:“ the 2 USB ports and 12V port provided in the partition are strictly connected to the vehicle power source only,” with no way to interact with the taxi’s communication systems.

But even USB ports designed to provide a power source still do have to transfer data, however – for example, telling the hardware whether a passenger is plugging in an iPhone or an iPad, each of which has different power capacities.

Other cyber security experts agreed that users plug into unknown USB ports at their own risk. “We have known for a long time, USB connections are a fabulous way to transmit viruses,” said Fred Cate, director of the Center for Cybersecurity Research at Indiana University. “One way to think about it is you can charge most phones off a computer. Would you plug your phone into a stranger’s computer sitting in the cab next to you? Maybe you would, but it is not a very rational choice.”

Cyber security expert Tom Kellerman, vice president of Cybersecurity at Trend Micro and member of the Center for Strategic and International Studies’ Cybersecurity Commission for the 44th Presidency, calls the idea of putting open USB connections in New York’s taxis “pretty scary.” He says he hopes that Nissan is going through the proper due diligence in securing such a system, especially if it plans on introducing WiFi connectivity.

The consensus from the cybersecurity experts we spoke with: If you’re charging your phone in a Taxi of Tomorrow, bring your own USB adapter and plug in to the 12V power outlet.

The New York World is published under Creative Commons' BY-ND 3.0 license. Unless otherwise noted, you are welcome to reprint The New York World's reporting. Except by prior arrangement, the following guidelines apply:

Credit The New York World, preferably by appending “The New York World” to the bylines already on the stories. Bylines must remain in the stories.
Do not edit stories, except to reflect relative changes in time or location (eg. “Yesterday, following months of uncertainty, Governor Cuomo...” may be changed to begin “In January,” or “Early this year”)
You may edit stories to accommodate style variations or to expand acronyms (eg. “TWU Local 100” may be written “Transport Workers Union Local 100”)

Stories reprinted online must:

include a link to the original story on http://www.thenewyorkworld.com
retain all links included in our original reporting
Retain in republished HTML a simple tracking code, provided in the body of each story as published on The New York World website.
include a syndication source tag directing search engines to the original story in The New York World
Do not republish The New York World wholesale or automatically
Contact our editor with any questions about this policy or to make arrangements to reprint The New York World stories under other terms.
This reprint policy is subject to change.

<h1>The Daily Q: Could new taxi USB chargers put your phone’s data at risk?</h1><a onclick="javascript:pageTracker._trackPageview('/outgoing/www.thenewyorkworld.com/wp-content/uploads/2012/01/dailyQ2-01.jpg');" href="http://www.thenewyorkworld.com/wp-content/uploads/2012/01/dailyQ2-01.jpg"><img class="alignleft size-full wp-image-2600" title="dailyQ2-01" src="http://www.thenewyorkworld.com/wp-content/uploads/2012/01/dailyQ2-01.jpg" alt="" width="105" height="105" /></a>Last week, the New York City Taxi and Limousine Corporation unveiled the <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.nyc.gov/html/media/html/news/taxioftomorrow.shtml');" title="Taxi of Tomorrow" href="http://www.nyc.gov/html/media/html/news/taxioftomorrow.shtml" target="_blank">Taxi of Tomorrow</a>. It features biker-friendly sliding doors, anti-microbial seats and, <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.theatlantic.com/technology/archive/2012/04/heres-what-a-ride-in-the-taxi-of-the-future-will-get-you/255472/');" title="Atlantic" href="http://www.theatlantic.com/technology/archive/2012/04/heres-what-a-ride-in-the-taxi-of-the-future-will-get-you/255472/" target="_blank">to much acclaim</a>, a power outlet and two USB ports to charge electronics.
But how safe is it to connect your phone via USB to any old port in a cab? After all, smartphone USB cables often double as data transfer cables, which can download an entirety of your phone’s data to whatever source is on the other end. It’s also well-known that some computer viruses are designed to travel via <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.wallstreetdaily.com/2012/03/08/cyber-securitys-biggest-threat/');" title="Infected USB" href="http://www.wallstreetdaily.com/2012/03/08/cyber-securitys-biggest-threat/" target="_blank">infected USB flash drives</a>.
The New York World wants to know: Could new taxi USB chargers put your phone’s data at risk?
If you have information or insights to share, <a onclick="javascript:pageTracker._trackPageview('/mailto/nyworld@thenewyorkworld.com');" href="mailto:nyworld@thenewyorkworld.com">write us</a>, tweet @thenyworld or comment below.
What we found
While the practice of “juice-jacking” is rare in the wild, a group of researchers at the 2011 DefCon cyber security conference <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.pcworld.com/article/238499/charging_stations_may_be_juicejacking_data_from_your_cellphone.html');" href="http://www.pcworld.com/article/238499/charging_stations_may_be_juicejacking_data_from_your_cellphone.html">showed it was possible to create a fake mobile charging station</a> that steals user data. The group, headed by Brian Markus, president of Aries Security, outfitted an innocuous-looking public charging station with software capable of downloading a connected smartphone’s datastore through its USB connection. This particular charging station only showed a warning message, since its goal was to increase cybersecurity awareness. But in total, at least 360 security-conscious attendees were tricked to let their guards down and connect their devices.
How could security-cracking code infect a Taxi of Tomorrow? A few different ways, depending on how much access the malicious party has to the taxi’s hardware and how the taxi’s electronics are configured.
“It would be very easy for someone to put a small laptop in the front seat of the taxi,” said Markus, “put in a fake USB charging port and people would plug in to that instead of the manufacturer’s.” At that point, the malicious party could download a passenger’s phone data or deliver a virus.
“It’s very easy to tap into a USB port,” Markus noted. “There’s only four wires so you can cut it, splice into it, or you could replace it. There are a number of things somebody with malicious intent could do.” 

With access to a plugged-in device, simply downloading someone’s data would be the easiest ploy, noted Jacob Olcott, cyber security expert and Principal at Good Harbor Consulting. “In this case, the person has already taken the first step by initiating contact,” he said. “They are the ones that plug in.”
To retrieve the data, the person would need to have repeated access to the taxi or else install some type of wireless transmission device.
Now, this is all hypothetical. The vehicle is still under development, and the hardware design will have much to do with how secure the ports are. Nissan includes USB ports in other vehicles, and in an email statement about the new taxi fleet told The New York World:“ the 2 USB ports and 12V port provided in the partition are strictly connected to the vehicle power source only,” with no way to interact with the taxi’s communication systems.
But even USB ports designed to provide a power source still do have to transfer data, however – for example, telling the hardware whether a passenger is plugging in an iPhone or an iPad, each of which has different power capacities.
Other cyber security experts agreed that users plug into unknown USB ports at their own risk. “We have known for a long time, USB connections are a fabulous way to transmit viruses,” said Fred Cate, director of the Center for Cybersecurity Research at Indiana University. “One way to think about it is you can charge most phones off a computer. Would you plug your phone into a stranger’s computer sitting in the cab next to you? Maybe you would, but it is not a very rational choice.”
Cyber security expert Tom Kellerman, vice president of Cybersecurity at Trend Micro and member of the Center for Strategic and International Studies’ Cybersecurity Commission for the 44th Presidency, calls the idea of putting open USB connections in New York’s taxis “pretty scary.” He says he hopes that Nissan is going through the proper due diligence in securing such a system, especially if it plans on introducing WiFi connectivity.
The consensus from the cybersecurity experts we spoke with: If you’re charging your phone in a Taxi of Tomorrow, bring your own USB adapter and plug in to the 12V power outlet.

Increasing number of New York school children skipping vaccinations

More than 22,000 medical and religious exemptions were granted to students for the 2013-14 school year, up 27 percent from 2010-11, according to the state Health Department. Public and private enrollment over the same period remained largely flat.

New data provides first detailed look at military gear held by New York law enforcement agencies

Over the past several years, more than 120 law enforcement agencies across the state, from the NYPD to Tuckahoe, have obtained military-grade equipment through the Pentagon’s 1033 program, which transfers excess military equipment to state and local police across the country.