What should I do if my mobile phone takes on a life of its own and exchanges data with the public USB charging cable? Fortunately, there is no need to worry about this – partly thanks to the research work of Florian Draschbacher and his team at TU Graz.
He’s a PhD candidate at TU Graz and is dedicated to the research field of mobile security; in other words, he deals with all security issues relating to mobile phones. This includes the different connectivities of mobile phones (wired and wireless) as well as supply chain security and API interface security.
Supply chain security means, for example, that not only original code from a developer is used in an app, but also third-party code – for example from advertisers, data analytics companies or various open source projects. These lines of code can only be partially checked and offer opportunities for attack. And there are also opportunities to infiltrate malicious code on the way from the developer to the app store and on to the smartphone. The third area of his work in mobile security is API interfaces, i.e. connection points between operating systems and apps that can leave the door open to attackers if they are not adequately secured.
After Juice Jacking came Choice Jacking
The Juice Jacking attack became known around ten years ago. Data was stolen using manipulated USB chargers that were available in public places for charging mobile phones. “A mobile phone only has one interface for power and data transmission. The operating systems simply assumed that a user would trust the interface when they connected to it,” explains Florian Draschbacher. The developers introduced a new dialogue box in which users have to confirm the data transfer. “We have found a way to have this dialogue confirmed within milliseconds by a manipulated charger and start a data transfer again without the knowledge of the owner.” An ethical approach is particularly important to the researchers, which is why the loophole was immediately reported to the manufacturers and fixed. But that’s not the end of the story: “My research goal is data security for end users. That’s why I’m still curious and still looking for new gaps.”
From app development to mobile security
The 30-year-old’s interest in apps was already apparent at a young age. As a hobby: “I was always interested in app development and I found it fascinating that such small devices can be transformed into multifunctional tools with just a little effort,” he says today. “I attended a grammar school, so my path into technology was not preordained. But today I see it more as an advantage that computer science remained just a hobby for a long time.” Today, he can no longer imagine life without research: “It’s both mystery and miracle. The spirit of research and curiosity are always present. I can’t switch it off.”
Don’t drive yourself mad
In his private life, Florian Draschbacher has a pragmatic view of potential security gaps: “There’s no point in driving yourself mad all the time. Although it is important to always have the latest security updates on your mobile phone, as a normal consumer you need have little concern about targeted attacks. The only important thing is to think about particularly sensitive data worth protecting.”
