The Department of Energy released a special report recently announcing that during the Department’s 2016 Cyber Conference, the audience was intentionally hacked as part of an exercise aimed at gauging real vulnerability.
The report does not say where the conference took place, but notes that it was a “non-federal facility” in Atlanta. According to the DOE Inspector General’s official special report, “During the conference, the Office of Cyber Assessments conducted an unannounced assessment related to the use of mobile device charging stations.”
“Officials indicated that the purpose was to determine whether conference participants would connect government and/or personal devices to a charging station.”
According to the report, the “Office of Cyber Assessments had used data collection devices that were disguised as mobile device charging stations and intended to collect specific, non-sensitive information from devices (such as cell phones) connected to them.”
This assessment was categorized as a “Red-Team Exercise,” which the report defines as “Unannounced tests” that “are conducted without informing the site but are required to include coordination with a trusted agent.”
All of their assessments, both announced and unannounced, “must be carefully and thoroughly conducted and coordinated,” according to the department.
Questions arose as to whether the department acted in good faith when when coordinating the unannounced test. The Office of the Chief Information Officer, and the investigation into the exercise, found those concerns to be substantiated.
The Inspector General report found that the assessment involved “the placement of two white acrylic boxes” that had department stickers pasted on them and were labeled, “charging station.”
Users who plugged their phones into what they assumed by the label were mobile phone charging stations, had their information siphoned out of their phone.
Luckily, the information collected was limited to “device name, serial number, manufacturer, and model number.” The report confirmed that no personal or identifiable information was collected during the exercise.
As a result of the report’s findings, the department’s regulations will be reviewed, the report states. In addition, information office personnel will be required to undergo training related to “observing, identifying, and reporting unusual behavior.”
What is truly scary about this, is that in a matter of minutes your phone’s information can be transferred via it’s charging port.
This may give thieves a new way to hack into sensitive and personal phone data by altering the code the DOE used to collect only the device information, and widen the scope to be able to steal passwords, photos, and phone numbers from unaware targets.
In this case, it was only a test by the federal government, and the only people who got hacked were those who inserted their phones into the chargers at the conference.
But the next time it might be someone more sinister, and the victim might be you.
Share this story on Facebook and Twitter and be sure to add your voice to the comment section below if you feel the department acted unjustly by hacking users phones.
H/T Fifth Domain
What do you think about the announcement that the DOE hacked users' phones? Scroll down to comment below.