3

Nearly every airplane these days has 5V USB power port at every seat. Some of these appear to be configured for power only, while others appear to be configured for both power and data transfer, since I will sometimes get a prompt on my iPhone: "Allow this device to access photos and videos?"

I think on some planes it might be possible to play media from your device on the seatback screen, but I'm not sure since I've never done it.

Is there any risk to using these USB ports if a malicious person is connected to another port on the plane? And is the risk any different if you allow/disallow media access?

please add appropriate tags, unsure which ones to use

Improve this question
1
  • possibly from the airline, if they were good hackers, but not other passengers.
    – dandavis
    Commented Mar 12, 2017 at 8:01

2 Answers 2

Reset to default
3

Yes. This could be dangerous. I'll try to explain a scenario where this may harm your phone:

Since you are using an iPhone and Apple's software is kept closed-source, we cannot know for sure whether it matters if you allow/disallow media access. I think it makes an attack somewhat more difficult, but not impossible. I will base my answer on Android phones, so that you can get a feel for the risk involved. iPhones can be as easily exploited but lets consider the following scenario:

  • An attacker plugs in a Rubber Ducky or a Teensy to the airplane's entertainment system. This allows him/her to perform an HID attack, compromising the machine that handles the entertainment system. The attacker is then able to run any process on the entertainment system.

  • Now you plug in your device. Assuming the same machine manages both yours and the attacker's USB ports, the process he/she is running can now infect your phone. The possibilities for an attacker are endless, and this scenario even helps him/her to employ some social engineering tactics (pretending to be the entertainment system to gain your trust, etc.).

A way of thwarting the threat is to use power only cables that you can make or buy for this use case.

Improve this answer
4
  • @dandavis Yes. InfoSec is sometimes about evaluating the worst case and preparing/defending against it. I did mention my assumptions, so my answer is to be taken with them in mind.
    – MiaoHatola
    Commented Mar 12, 2017 at 8:03
  • @dandavis Point taken. See my edit.
    – MiaoHatola
    Commented Mar 12, 2017 at 8:09
  • Maybe this is asking for conjecture, but is it likely to be obvious that the system is compromised (i.e., everyone's videos stop playing)? Or is it more likely that the attacker could allow it to continue functioning as usual?
    – Dan A.
    Commented Mar 14, 2017 at 9:29
  • @DanA. This is pretty specific, and depends on the system and the attack. But I'll just say that I've seen Teensy attacks that are pretty unnoticeable, and do not disrupt the normal function of the victim machine.
    – MiaoHatola
    Commented Mar 14, 2017 at 9:35
2

If there is, in fact, a data connection that is connected to a host, that yes absolutely. Using a RubberDucky or most recently, a Bash Bunny you could most certainly attack the host as these devices act as a HID device however, the BASH bunny has a significant amount of new functionality compared to the Rubber Ducky and would pose a much larger threat to someone who knew what they were doing.

For example: the BASH Bunny can act as several devices in one (HID, USB, Network, etc.) whereas the Rubber Ducky will act as a HID and is usually coded for a specific host OS (Windows, Linux, etc.). The Bash Bunny can adapt to the situation at hand.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .