No Free Charge Theorem 2.0: How to Steal Private Information from a Mobile Device Using a Powerbank

Conference:  BlackHat EU 2018



The presentation discusses a low-cost and easily deployable method of exfiltrating data from smartphones using power consumption analysis.
  • The presenter demonstrates a prototype device that can measure power consumption and transmit data through a covered channel.
  • The device can be deployed through seemingly innocuous applications that do not require special permissions.
  • The data exfiltration method is low-cost and can be easily deployed in power banks, charging stations, or USB adapters.
  • The device can transmit data at a rate of 2 bits per second.
  • The decoder can recognize bits and divide them into bytes using an ASCII code.
  • The device can be detected through CPU bursts, but the presenter suggests waiting until the battery is above a certain level of charge before transmitting data.
The presenter demonstrates how the device can transmit data through a covered channel using a colleague's smartphone. The device measures power consumption and transmits data through a binary format. The presenter suggests that the device can be deployed through seemingly innocuous applications, such as a fancy alarm clock that accesses music files. The presenter also notes that the device can be detected through CPU bursts, but suggests waiting until the battery is above a certain level of charge before transmitting data.


Thanks to their omnipresence and multi-purposeness, users rely on smartphones to execute in few touches a wide range of privacy-related operation, such as accessing bank accounts, checking emails, or transferring money. While not long time ago users were seeking constant Internet connection (e.g., via free Wi-Fi hotspot), now they also look for energy sources to recharge their smartphones' battery, due to the use of more energy-draining apps (e.g., Pokémon Go).This phenomenon has led to the diffusion of free charging stations in public places and the marketing of portable batteries a.k.a. powerbanks. Despite the preventive measures implemented by Android's developers in order to prevent data transfer via USB cable (i.e., "Charging only" mode), we are able to exploit a hidden communication channel which leverages only the electrical current provided for charging the smartphone.On one side, a malicious app (which can be disguised as a legitimate, clean app) installed on the victim's phone, which only requires wakelock permission (i.e., to wake up the phone when it is idle), remains silent until the device is plugged to a USB port and left unattended. Then, such app begins transmitting sensitive data coded in energy consumption peaks. On the other side, the energy provider (e.g., powerbank) is able to measure such peaks and then reconstruct the transmitted information. All this happens without the malicious app's access to Internet or other permissions, except for the information that it wants to exfiltrate.



Post a comment

Related work

Conference:  Black Hat Asia
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia

Conference:  Defcon 31
Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka

Conference:  Defcon 31
Authors: Cory Doctorow