Menu Close

Cybersecurity: NCC-CSIRT identifies 2 cyber vulnerabilities, offers measures for consumer protection

Juice Jacking Mobile Device Vulnerability Photo: DNA India

*The Nigerian Communications Commission’s Cyber Security Incident Response Team (NCC-CSIRT) alerts telecoms consumers to two cyber vulnerabilities, and urges Nigerians on preventive measures to take in order to get protected against cyberattacks

Gbenga Kayode | ConsumerConnect

The Nigerian Communications Commission’s Cyber Security Incident Response Team (NCC-CSIRT) has independently identified two cyber vulnerabilities, and advised Nigerian telecoms consumers on the measures to be taken to protect themselves from the cyberattacks.

ConsumerConnect had reported the CSIRT, in its first-ever security advisories less than three months after its creation, has solely identified the two cyberattacks targeting the consumers and proffered solutions that could help telecoms consumers from falling victims to the two cyber vulnerabilities.

The telecoms regulatory Commission in a statement Dr. Ikechukwu Adinde, Director of Public Affairs at NCC, issued Friday, January, 2022, in Abuja, FCT, said the first of the two vulnerabilities is described as ‘Juice Jacking’, which can gain access into consumers’ devices when charging mobile phones at public charging stations and it applies to all mobile phones.

RELATED Cybercrime: NCC Alerts Consumers To New ‘AbstractEmu’ Malware Attacking Android Devices

The NCC stated that the second is a ‘Facebook for Android Friend Acceptance Vulnerability’, which targets only Android Operating System (OS).

According to CSIRT security Advisory 0001 released January 26, 2022, with Juice Jacking, attackers have found a new way to gain unauthorised entry into unsuspecting mobile phone users devices when they charge their mobile phones at public charging stations.

The Commission also said: “Many public spaces, restaurants, malls and even in the public trains do offer complementary services to their customers in a bid to enhance customer services, one of which is providing charging ports or sockets.”

However, an attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations.

READ ALSO: NCC Alerts Consumers To ‘BadUSB’ Ransomware Attacking Organisations’ Networks

The NCC further noted: “Once unsuspecting persons plug their phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone.

“This payload then gives the attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, or audio using the microphone.

“The attacker can even watch the victim in real time if the victims’ camera is not covered. The attacker is also given full access to the gallery and also to the phone’s Global Positioning System (GPS) location.”

The Commission explained when an attacker gains access to a user’s Mobile phone, he gets remote access to the User’s phone which leads to breach in Confidentiality, Violation of Data Integrity and bypass of Authentication Mechanisms. Symptoms of attack may include sudden spike in battery consumption, device operating slower than usual, apps taking a long time to load, and when they load they crash frequently and cause abnormal data usage.

READ ALSO: Danbatta Restates NCC’s Commitment To Broadband, Consumer Protection, Digital Economy

The NCC-CSIRT, however, proffered solutions to this attack to include using ‘charging only USB cable’, to avoid Universal Serial Bus (USB) data connection; using one’s AC charging adaptor in public space; and not granting trust to portable devices prompt for USB data connection.

Other preventive measures against Juice Jacking include installing Antivirus and updating them to the latest definitions always; keeping mobile devices up to date with the latest patches; using one’s own power bank; keeping mobile phone off when charging in public places; as well as ensuring use of one’s own charger, if one must charge in public.

RELATED: Telecoms Regulator’s Central Mandate Is To Ensure Consumer Protection ─NCC

On the other hand, the NCC-CSIRT Advisory 0001 of January 27, 2022, warns that Facebook for Android is vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone.

The products affected include Versions 329.0.0.29.120 of Android OS.

With this, the attacker will be able to add the victim as a friend and collect personal information of the victim, such as Email, Date of Birth, Check-ins, Mobile phone number, Address, Pictures and other information that the victim may have shared, which would only be visible to his/her friends.

READ ALSO Cybersecurity: Nigeria Commissions Centre For Computer Security Incident Response

“However, to be protected from the Facebook-associated vulnerability, NCC-CSIRT in the security advisory recommends to users to disable the feature from their device’s lock screen notification settings,” said the NCC.

The statement further recalled the NCC-CSIRT was inaugurated October 2021 to provide guidance and direction for the constituents in dealing with issues relating to the security of critical infrastructure in their possession, and periodically assess, review and collate the threat landscape, risks, and opportunities affecting the communications sector, in order to provide advice to relevant stakeholders in those regards.

RELATED: NCC Urges Stakeholders To Activate Digital Economy For Diversification, Transformation

As the telecoms-industry specific intervention, the objective of which aligns with the objective of the National Cybersecurity Policy and Strategy (NCPS) document published by the Office of the National Security Adviser (ONSA), the NCC-CSIRT ensures continuous improvement of processes and communication frameworks to guarantee secure and collaborative exchange of timely information while responding to cyber threats within the sector.

The Commission said in recent times, NCC-CSIRT has raised series of cyber-vulnerability awareness based on security advisories it receives from the Nigerian Cybersecurity Emergency Response Team (ngCERT) as the national body for the implementation of the NCPS objective.

The NCC, however, added that Juice Jacking and Facebook for Android Friend Acceptance Vulnerabilities are the two first-ever cyber vulnerabilities published by the NCC-CSIRT.

Kindly Share This Story

Kindly share this story