No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices

  • Riccardo SpolaorEmail author
  • Laila Abudahi
  • Veelasha Moonsamy
  • Mauro Conti
  • Radha Poovendran
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


More and more people are regularly using mobile and battery-powered handsets, such as smartphones and tablets. At the same time, thanks to the technological innovation and to the high user demand, those devices are integrating extensive battery-draining functionalities, which results in a surge of energy consumption of these devices. This scenario leads many people to often look for opportunities to charge their devices at public charging stations: the presence of such stations is already prominent around public areas such as hotels, shopping malls, airports, gyms and museums, and is expected to significantly grow in the future. While most of the times the power comes for free, there is no guarantee that the charging station is not maliciously controlled by an adversary, with the intention to exfiltrate data from the devices that are connected to it.

In this paper, we illustrate for the first time how an adversary could leverage a maliciously controlled charging station to exfiltrate data from the smartphone via a USB charging cable (i.e., without using the data transfer functionality), controlling a simple app running on the device—and without requiring any permission to be granted by the user to send data out of the device. We show the feasibility of the proposed attack through a prototype implementation in Android, which is able to send out potentially sensitive information, such as IMEI and contacts’ phone number.



This work is supported by ONR grants N00014-14-1-0029 and N00014-16-1-2710, ARO grant W911NF-16-1-0485 and NSF grant CNS-1446866.

Veelasha Moonsamy is supported by the Technology Foundation STW (project 13499 - TYPHOON & ASPASIA) from the Dutch government.

Mauro Conti is supported by a Marie Curie Fellowship funded by the European Commission (agreement PCIG11-GA-2012-321980). This work is also partially supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061), the EU-India REACH Project (agreement ICI+/2014/342-896), “Physical-Layer Security for Wireless Communication”, and “Content Centric Networking: Security and Privacy Issues” funded by the University of Padua. This work is partially supported by the grant n. 2017-166478 (3696) from Cisco University Research Program Fund and Silicon Valley Community Foundation.

We would like to thank Elia Dal Santo and Moreno Ambrosin for their insightful comments.


  1. 1.
    Aloraini, B., Johnson, D., Stackpole, B., Mishra, S.: A new covert channel over cellular voice channel in smartphones. Technical report (2015). arXiv preprint arXiv:1504.05647
  2. 2.
    Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Proceedings of USENIX WOOT (2010)Google Scholar
  3. 3.
    Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of USENIX ACSAC (2012)Google Scholar
  4. 4.
    Baghel, S., Keshav, K., Manepalli, V.: An investigation into traffic analysis for diverse data applications on smartphones. In: Proceedings of NCC (2012)Google Scholar
  5. 5.
    Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of ACM ASE (2012)Google Scholar
  6. 6.
    Carroll, A., Heiser, G.: An analysis of power consumption in a smartphone. In: Proceedings of USENIX ATC (2010)Google Scholar
  7. 7.
    Chacos, B.: USB condom promises to protect your dongle from infected ports. PC World, August 2014.
  8. 8.
    Chandra, S., Lin, Z., Kundu, A., Khan, L.: Towards a systematic study of the covert channel attacks in smartphones. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICSSITE, vol. 152, pp. 427–435. Springer, Cham (2015). doi: 10.1007/978-3-319-23829-6_29 CrossRefGoogle Scholar
  9. 9.
    Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Analyzing android encrypted network traffic to identify user actions. IEEE TIFS 11(1), 114–125 (2016)Google Scholar
  10. 10.
    Do, Q., Martini, B., Choo, K.K.R.: Exfiltrating data from android devices. Comput. Secur. 48, 74–91 (2015)CrossRefGoogle Scholar
  11. 11.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of ACM CCS (2011)Google Scholar
  12. 12.
    Ferreira, D., Dey, A.K., Kostakos, V.: Understanding human-smartphone concerns: a study of battery life. In: Proceedings of PerCom (2011)Google Scholar
  13. 13.
    Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of ACM MobiSys (2008)Google Scholar
  14. 14.
    Lalande, J.-F., Wendzel, S.: Hiding privacy leaks in android applications using low-attention raising covert channels. In: Proceedings of ARES (2013)Google Scholar
  15. 15.
    Lau, B., Jang, Y., Song, C., Wang, T., Chung, P.H., Royal, P.: Mactans: injecting malware into IOS devices via malicious chargers. Black Hat, USA (2013)Google Scholar
  16. 16.
    Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan side-channels: lightweight hardware trojans through side-channel engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 382–395. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04138-9_27 CrossRefGoogle Scholar
  17. 17.
    Liu, L., Yan, G., Zhang, X., Chen, S.: VirusMeter: preventing your cellphone from spies. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 244–264. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04342-0_13 CrossRefGoogle Scholar
  18. 18.
    Marforio, C., Ritzdorf, H., Francillon, A., Capkun, S.: Analysis of the communication between colluding applications on modern smartphones. In: Proceedings of USENIX ACSAC (2012)Google Scholar
  19. 19.
    Meng, W., Lee, W.H., Murali, S., Krishnan, S.: Charging me and i know your secrets!: towards juice filming attacks on smartphones. In: Proceedings of ACM CPS-SEC (2015)Google Scholar
  20. 20.
    Moonsamy, V., Rong, J., Liu, S.: Mining permission patterns for contrasting clean and malicious android applications. J. Future Gener. Comput. Syst. 36, 122–132 (2013)CrossRefGoogle Scholar
  21. 21.
    Novak, E., Tang, Y., Hao, Z., Li, Q., Zhang, Y.: Physical media covert channels on smart mobile devices. In: Proceedings of ACM UbiComp (2015)Google Scholar
  22. 22.
    Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: ACCessory: password inference using accelerometers on smartphones. In: Proceedings of ACM HotMobile (2012)Google Scholar
  23. 23.
    Pathak, A., Charlie Hu, Y., Zhang, M.: Where is the energy spent inside my app?: Fine grained energy accounting on smartphones with Eprof. In: Proceedings of ACM EuroSys (2012)Google Scholar
  24. 24.
    Proakis, J.G.: Intersymbol Interference in Digital Communication Systems. Wiley, Hoboken (2003)CrossRefGoogle Scholar
  25. 25.
    Reynolds, D.: Gaussian mixture models. Encycl. Biom., 827–832 (2015)Google Scholar
  26. 26.
    Schlegel, R., Zhang, K., Zhou, X.Y., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: Proceedings of NDSS (2011)Google Scholar
  27. 27.
    Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of ACM CCS SPSM (2014)Google Scholar
  28. 28.
    Stöber, T., Frank, M., Schmitt, J., Martinovic, I.: Who do you sync you are?: Smartphone fingerprinting via application behaviour. In: Proceedings of ACM WiSec (2013)Google Scholar
  29. 29.
    Taylor, V.F., Spolaor, R., Conti, M., Martinovic, I.: Appscanner: automatic fingerprinting of smartphone apps from encrypted network traffic. In: Proceedings of IEEE EuroS&P (2016)Google Scholar
  30. 30.
    Android Developers. Optimizing for Doze and App Standby.
  31. 31.
    Business Insider. The Smartphone Market Is Now Bigger Than The PC Market (2011).
  32. 32.
    Yan, L., Guo, Y., Chen, X., Mei, H.: A study on power side channels on mobile devices. In: Proceedings of ACM Internetware (2015)Google Scholar
  33. 33.
    Yoon, C., Kim, D., Jung, W., Kang, C., Cha, H.: AppScope: application Energy metering framework for android smartphone using kernel activity monitoring. In: Proceedings of ATC (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Riccardo Spolaor
    • 1
    Email author
  • Laila Abudahi
    • 2
  • Veelasha Moonsamy
    • 3
  • Mauro Conti
    • 1
  • Radha Poovendran
    • 2
  1. 1.University of PaduaPaduaItaly
  2. 2.University of WashingtonSeattleUSA
  3. 3.Radboud UniversityNijmegenThe Netherlands

Personalised recommendations