As of July 30th, shared power banks have become a lifesaver for many who find their phones running out of battery while on the go. However, a recent advisory from China’s Ministry of State Security highlights a concerning reality: these ubiquitous charging stations could be exploited by foreign intelligence agencies and malicious actors to steal personal data and even state secrets.
The Ministry of State Security’s official WeChat account has issued a stark warning, urging the public to avoid using shared power banks from unknown sources or those with unusual interfaces. The advisory also sheds light on the various methods through which these devices can be compromised for data theft.
Shared power banks are susceptible to data breaches through four primary channels: hardware modifications, manipulative authorization prompts, software implantation, and the exploitation of backend operational data. Each of these avenues presents a unique risk to user privacy and security.
Hardware Modifications
Foreign intelligence agencies or individuals with malicious intent may exploit weaknesses in the supply chain of shared power banks, from manufacturing and sales to deployment. By subtly embedding miniature computer chips or other malicious hardware within the devices, they can create covert data channels. These compromised devices can steal sensitive information, including contacts, photos, videos, social media accounts, and even payment details, all while ostensibly charging a user’s device. Publicly available information suggests that such tampered power banks can exfiltrate significant amounts of critical data in a remarkably short period.
Authorization Traps
Exploiting the anxiety of users facing a low phone battery, adversaries may employ technical means to present deceptive prompts during the charging process. These might include questions like “Trust this device?” or “Allow USB debugging?”. The goal is to trick users into granting explicit permission, thereby opening a backdoor into their device’s operating system. This bypasses standard security measures, granting attackers control and enabling them to conduct deeper espionage, such as initiating eavesdropping or unauthorized surveillance.
Software Implantation
There is a risk that shared power banks may come pre-loaded with spyware, malware, or backdoor programs. Once a user connects to a “poisoned” power bank, these malicious codes can stealthily infiltrate the device’s system, operating like parasitic software. Even after the charging session ends and the connection is severed, the malware can continue to run in the background, effectively turning the user’s phone into a constant surveillance tool.
Exploitation of Backend Data
Foreign entities may seek to illegally acquire backend operational data from shared power bank providers. By leveraging advanced artificial intelligence techniques for deep data mining, they can analyze vast amounts of user data, including location history, usage patterns, and device identifiers. This information can be used to create detailed profiles of individual and group behavior, track specific sensitive individuals, and even assess collective dynamics for activities that could pose security risks. This method, while less direct, offers a powerful tool for intelligence gathering and behavioral analysis on a broad scale.
In response to these potential threats, authorities advise users to prioritize shared power banks from reputable brands and official distributors. It is critical to avoid devices from unknown sources, those showing signs of tampering, or with unusual ports. Users should also be wary of granting unnecessary permissions to charging devices, especially those not intended for data transfer. If a phone exhibits unusual behavior after using a shared power bank, such as overheating, rapid battery drain, sluggish performance, or unexpected pop-up ads, users should immediately cease using the device and run a comprehensive scan with reliable security software. In severe cases, a factory reset or seeking professional assistance may be necessary.
