The Nigerian Communications Commission’s Cyber Security Incident Response Team (NCC-CSIRT) has independently identified two cyber vulnerabilities while also advising Nigerian telecom consumers on the measures to get protected from the cyber-attacks.
Described as Juice Jacking, which is capable of gaining access into consumers’ devices when charging mobile phones at public charging stations applies to all mobile phones while the second is a Facebook for Android Friend Acceptance Vulnerability, which targets only Android Operating System.
According to CSIRT security Advisory released on January 26, 2022, with Juice Jacking, attackers have found a new way to gain unauthorized entry into unsuspecting mobile phone users devices when they charge their mobile phones at public charging stations.
An attacker is said to leverage on complementary services in public spaces to load a payload in the charging station or on the cables they would leave plugged in at the stations.
On usage of the cable left by the attacker, the payload is automatically downloaded on the victims’ phone, granting attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, or audio using the microphone. The attacker can even watch the victim in real time if the victims’ camera is not covered. The attacker is also given full access to the gallery and also to the phone’s Global Positioning System (GPS) location.
The advisory said the effect of an attacker gaining access to a user’s Mobile phone includes breach in Confidentiality, Violation of Data Integrity and bypass of Authentication Mechanisms. This leads to a sudden spike in battery consumption, device operating slower than usual, apps taking a long time to load, and when they load they crash frequently and cause abnormal data usage.
The NCC-CSIRT, further said the some of the preventive measures include using ‘charging only USB cable’, to avoid Universal Serial Bus (USB) data connection; using one’s AC charging adaptor in public space; and not granting trust to portable devices prompt for USB data connection.
Others preventive measures against Juice Jacking include installing Antivirus and updating them to the latest definitions always; keeping mobile devices up to date with the latest patches; using one’s own power bank; keeping mobile phone off when charging in public places; as well as ensuring use of one’s own charger, if one must charge in public.
It also warns that Facebook for Android is vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone. The products affected include Versions 329.0.0.29.120 of Android OS.
With this, the attacker will be able to add the victim as a friend and collect personal information of the victim, such as Email, Date of Birth, Check-ins, Mobile phone number, Address, Pictures and other information that the victim may have shared, which would only be visible to his/her friends.
For protection, NCC-CSIRT in the security advisory recommends that users disable the feature from their device’s lock screen notification settings.
The NCC-CSIRT was inaugurated in October, 2021 to provide guidance and direction for the constituents in dealing with issues relating to the security of critical infrastructure in their possession, and periodically assess, review and collate the threat landscape, risks, and opportunities affecting the communications sector, in order to provide advice to relevant stakeholders in those regards.