Stories

The Daily Q: Could new taxi USB chargers put your phone’s data at risk?

Last week, the New York City Taxi and Limousine Corporation unveiled the Taxi of Tomorrow. It features biker-friendly sliding doors, anti-microbial seats and, to much acclaim, a power outlet and two USB ports to charge electronics. But how safe is it to connect your phone via USB to any old port in a cab? After all, smartphone USB cables…

Last week, the New York City Taxi and Limousine Corporation unveiled the Taxi of Tomorrow. It features biker-friendly sliding doors, anti-microbial seats and, to much acclaim, a power outlet and two USB ports to charge electronics.

But how safe is it to connect your phone via USB to any old port in a cab? After all, smartphone USB cables often double as data transfer cables, which can download an entirety of your phone’s data to whatever source is on the other end. It’s also well-known that some computer viruses are designed to travel via infected USB flash drives.

The New York World wants to know: Could new taxi USB chargers put your phone’s data at risk?

If you have information or insights to share, write us, tweet @thenyworld or comment below.

What we found

While the practice of “juice-jacking” is rare in the wild, a group of researchers at the 2011 DefCon cyber security conference showed it was possible to create a fake mobile charging station that steals user data. The group, headed by Brian Markus, president of Aries Security, outfitted an innocuous-looking public charging station with software capable of downloading a connected smartphone’s datastore through its USB connection. This particular charging station only showed a warning message, since its goal was to increase cybersecurity awareness. But in total, at least 360 security-conscious attendees were tricked to let their guards down and connect their devices.

How could security-cracking code infect a Taxi of Tomorrow? A few different ways, depending on how much access the malicious party has to the taxi’s hardware and how the taxi’s electronics are configured.

“It would be very easy for someone to put a small laptop in the front seat of the taxi,” said Markus, “put in a fake USB charging port and people would plug in to that instead of the manufacturer’s.” At that point, the malicious party could download a passenger’s phone data or deliver a virus.

“It’s very easy to tap into a USB port,” Markus noted. “There’s only four wires so you can cut it, splice into it, or you could replace it. There are a number of things somebody with malicious intent could do.”

With access to a plugged-in device, simply downloading someone’s data would be the easiest ploy, noted Jacob Olcott, cyber security expert and Principal at Good Harbor Consulting. “In this case, the person has already taken the first step by initiating contact,” he said. “They are the ones that plug in.”

To retrieve the data, the person would need to have repeated access to the taxi or else install some type of wireless transmission device.

Now, this is all hypothetical. The vehicle is still under development, and the hardware design will have much to do with how secure the ports are. Nissan includes USB ports in other vehicles, and in an email statement about the new taxi fleet told The New York World:“ the 2 USB ports and 12V port provided in the partition are strictly connected to the vehicle power source only,” with no way to interact with the taxi’s communication systems.

But even USB ports designed to provide a power source still do have to transfer data, however – for example, telling the hardware whether a passenger is plugging in an iPhone or an iPad, each of which has different power capacities.

Other cyber security experts agreed that users plug into unknown USB ports at their own risk. “We have known for a long time, USB connections are a fabulous way to transmit viruses,” said Fred Cate, director of the Center for Cybersecurity Research at Indiana University. “One way to think about it is you can charge most phones off a computer. Would you plug your phone into a stranger’s computer sitting in the cab next to you? Maybe you would, but it is not a very rational choice.”

Cyber security expert Tom Kellerman, vice president of Cybersecurity at Trend Micro and member of the Center for Strategic and International Studies’ Cybersecurity Commission for the 44th Presidency, calls the idea of putting open USB connections in New York’s taxis “pretty scary.” He says he hopes that Nissan is going through the proper due diligence in securing such a system, especially if it plans on introducing WiFi connectivity.

The consensus from the cybersecurity experts we spoke with: If you’re charging your phone in a Taxi of Tomorrow, bring your own USB adapter and plug in to the 12V power outlet.

Add a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

1 Comment

  1. In the absence of an archive link I can not tell if The Daily has covered the issues surrounding NYC attempting to legalize street hails in view of the recent court ruling which was a set back to the implementation at the end of June.
    Given this was an issue that primarily affected affected residents of the Bronx, Harlem and outer Borough urban pockets it is understood why for 40 years it got so little attention and media coverage. I am now amazed at how little coverage this issue has gotten when it affects 7 million of the 8.3 million residents of NYC
    I would have thought that this would fall in your sweet spot of issues you cover. The “gypsy cab phenomena” affects the existing and proposed Columbia University community as well as so many others.
    You can cover
    the stakeholders as well as their vested interest.
    Why did the Mayor go to Albany rather than getting approval from the NYC Council and on and on…..