The Nigerian Communications Commission’s Cyber Security Incident Response Team (NCC-CSIRT) has independently identified two cyber vulnerabilities and advised Nigerian telecom consumers on the measures to take to be protected.
The CSIRT, in its first-ever security advisory less than three months after its creation, has solely identified the two cyber-attacks targeting the consumers and proffer solutions that can prevent telecom consumers from falling victim.
The first, ‘Juice Jacking’, can gain access to consumers’ devices while charging mobile phones [all types] at public charging stations. The other is a ‘Facebook for Android Friend Acceptance Vulnerability’, which targets only Android Operating System (AOS).
According to CSIRT’s Security Advisory, 0001 released on January 26, 2022, with ‘Juice Jacking’ attackers have found a new way to gain unauthorised entry into unsuspecting mobile phone users’ devices when they charge their mobile phones at public charging stations.
Many public spaces, restaurants, malls and even public trains offer complementary services to their customers in a bid to enhance customer services, by providing charging ports or sockets.
However, an attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations.
Once unsuspecting persons plug their phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone. This payload then gives the attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, or audio using the microphone. The attacker can even watch the victim in real-time if the victims’ camera is not covered. The attacker is also given full access to the gallery and also to the phone’s global positioning system (GPS) location.
When an attacker gains access to a user’s mobile phone, he gets remote access to the user’s phone which leads to a breach in confidentiality, violation of data integrity and bypass of authentication mechanisms. Symptoms of attack may include a sudden spike in battery consumption, devices operating slower than usual, apps taking a long time to load [and crash frequently when they do] and causing abnormal data usage.
The NCC-CSIRT, however, advised that phone users use ‘charging only’ USB cables, to avoid Universal Serial Bus (USB) data connection; using one’s AC charging adaptor in public space and not granting trust to portable devices prompt to establish a USB data connection.
Other preventive measures against ‘Juice Jacking’ include installing anti-virus and updating them to the latest definitions always; keeping mobile devices up-to-date with the latest patches, using one’s power bank, keeping mobile phone off when charging in public places, as well as ensuring use of one’s charger, if one must charge in public.
On the other hand, the NCC-CSIRT Advisory 0001 of January 27, 2022, warned that Facebook for Android is vulnerable to a permission issue that gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone. The products affected include versions 3220.127.116.11.120 of Android OS.
With this, the attacker adds the victim as a ‘friend’ and collects personal information of the victim – email, date of birth, check-ins, mobile phone number, address, pictures and other information that the victim may have shared, which would only be visible to his/her friends.
However, to be protected from the Facebook-associated vulnerability, NCC-CSIRT in the security advisory recommended tat users disable the feature from their device’s lock screen notification settings.
A statement by the director, public affairs, NCC, Dr. Ikechukwu Adinde, said the NCC-CSIRT was inaugurated in October 2021 to provide guidance and direction for the constituents in dealing with issues relating to the security of critical infrastructure in their possession, and periodically assess, review and collate the threat landscape, risks and opportunities affecting the communications sector, to advice relevant stakeholders in those regards.
As the telecoms-industry specific intervention, the objective of which aligns with the objective of the National Cybersecurity Policy and Strategy (NCPS) document published by the Office of the National Security Adviser (ONSA), the NCC-CSIRT ensures continuous improvement of processes and communication frameworks to guarantee the secure and collaborative exchange of timely information while responding to cyber threats within the sector.
In recent times, NCC-CSIRT has raised a series of cyber-vulnerability awareness based on security advisories it receives from the Nigerian Cybersecurity Emergency Response Team (ngCERT), which is the national body for the implementation of the NCPS objective. However, ‘Juice Jacking’ and ‘Facebook for Android Friend Acceptance’ vulnerabilities are the two, first-ever cyber vulnerabilities published by the NCC-CSIRT.