Why Is 'Juice Jacking' Suddenly Back In the News? (krebsonsecurity.com) 32
An anonymous reader shares a report from KrebsOnSecurity: KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about "juice jacking," a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.
The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who'd set up a mobile charging station designed to educate the unwary to the reality that many mobile devices were set up to connect to a computer and immediately sync data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place. On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks. [...]
How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023. "The FBI replied that its tweet was a 'standard PSA-type post' that stemmed from the FCC warning," Snopes reported. "An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on "juice-jacking," first issued in 2019 and later updated in 2021, was up-to-date so as to ensure 'the consumers have the most up-to-date information.' The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking." The best way to protect yourself from juice jacking is by using your own gear to charge and transfer data from your device(s) to another.
"Juice jacking isn't possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present," says security researcher Brian Krebs. "If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in."
The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who'd set up a mobile charging station designed to educate the unwary to the reality that many mobile devices were set up to connect to a computer and immediately sync data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place. On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks. [...]
How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023. "The FBI replied that its tweet was a 'standard PSA-type post' that stemmed from the FCC warning," Snopes reported. "An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on "juice-jacking," first issued in 2019 and later updated in 2021, was up-to-date so as to ensure 'the consumers have the most up-to-date information.' The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking." The best way to protect yourself from juice jacking is by using your own gear to charge and transfer data from your device(s) to another.
"Juice jacking isn't possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present," says security researcher Brian Krebs. "If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in."
Simple explanation. (Score:2)
Power off? (Score:2)
Re: Power off? (Score:2)
Re: Power off? (Score:5, Informative)
Since iOS 11.4.1 apple intruded usb restricted mode. On boot, or if your device has been locked for more than an hour, the USB subsystem is unloaded from the kernel. Itâ(TM)ll do some basic charging, but ⦠thatâ(TM)s it.
So if you power off your phone and plug into a untrusted charger will your phone turn back on: yes. Will it have a reduced security footprint that the untrusted device can attempt to exploit: as long as you donâ(TM)t unlock it, also yes. Could somebody figure out how to exploit even that: people are damn clever, probably yes.
If youâ(TM)re both concerned, and in a pinch: turn off your phone, plug it in, DONâ(TM)T unlock it, cross your fingers.
Re: (Score:3)
Android has had this for as long as I can remember too. The issue is that in order to charge fast the phone needs to talk to the charger. Up to 1.5A it only needs to confirm that the D+ and D- data lines are shorted, or in Apple's non-standard case measure the voltage on them. Beyond that it needs to use the USB-C Power Delivery communication system, or one of the other proprietary systems. All of them involve talking to the charger.
Any of those could potentially have flaws in the code that allow for attack
Re: (Score:3)
Reply to both.
I didn't imply that Android could not do the same. I'm not an Android user, I'm glad you spoke up.
There is truth that on a USB bus you can't pull more than 500 mA without negotiating with the bus controller for more. There's a few different signaling mechanisms for doing so. Some are very dumb, and don't require full participation on the bus to accomplish. Others very much do, especially in the case of USB-C. When you have to fully register on the bus, the attack surface that can b
Re: (Score:2)
> That wont work with iphones, i have plugged my iphone in to charge and the act of plugging it in powers the iphone on
Hopefully your data isn't decrypted before unlocking?
But they could still trigger the auto-format or possibly run a Pegasus attack and install malware.
Re: Power off? (Score:1)
Re: (Score:2)
Well, having dumped Apple a decade ago (I didn't like their style), I wasn't in the market for an iDevice anyway. But they should warn people more vigorously about this problem, otherwise they'll be getting a lot of returns.
Re: Power off? (Score:1)
HID-eous (Score:3)
Re: (Score:2)
Infect a phone when charging? Iteresting! (Score:2)
Re: (Score:1)
> Be a real issue if you couldn't charge your EV in public.
Are there 'skimmers' yet on the data leads on EV chargers? Presumably you bust through a CAMbus flaw and install your own unlock key in the authorized-unlock keystore?
Re: (Score:2)
On cellphones I'm more worried about installing something that opens it to remote exploit (like that key addition) than scanning the data over the USB during charging. Install-the-persistent-threat can be canned in the charging device, so it only needs to be installed, not periodically visited to "drain" it or have a comm link of its own to "phone home".
Re: (Score:2, Troll)
I am sure glad the cars makers have all this security stuff figured out. Be a real issue if you couldn't charge your EV in public.
I'm not sure if you're trying to be funny or not, but there's a big difference between the very VERY ex-fucking-tremely dumb charging communications protocol used for EVs and the I-can-do-anything-I-have-direct-memory-access communications-and-everyone-trusts-me protocol called USB.
Re: (Score:2)
Until somebody figures out an exploit (like a buffer overflow) that lets the charger corrupt the car-end protocol driver and take IT over. Then it's a matter of chaining exploits to work back from a driver into its OS and then through whatever software and hardware barriers to
Re: (Score:2)
CAN is high level communications protocol directly between main processors on dedicated communications lines. It's quite different from dedicated electronics sending pulses across a 480V line that do little more than indicate power available and power required. Don't underestimate just how dumb present chargers are. You need a base level of intelligence in order to actively exploit anything.
Mind you we're moving that direction. ISO 15118 is a proposed high level communications standard for car charging. But
It's fairly obvious (Score:2)
Carry a battery (Score:5, Interesting)
Carry a battery pack
charge your phone from the battery pack
recharge your battery pack from the (publicly accessible) charging point.
Re: (Score:2)
It's easier than that. Bring an A/C charger and plug it in to a 110 outlet. Those don't carry malware.
Re: (Score:2)
Re: (Score:2)
If you thought my post intended to be specifically about US 110 V, you read too much into it. Of course, use whatever A/C power configuration is common in your area. The principle is the same, phone chargers are cheap, and cheaper and easier than carrying a battery pack (which you still have to charge).
Re: (Score:2)
Corollary : see power, top up! Whoever was booking your flights included at least 2 hours "slack time" at each bush airport, because we are talking about shithole third world transport, and you
Get a data blocker (Score:3)
How about a normal A/C charger? (Score:2)
They're cheap, small, and plugging them in to a 110 outlet never comes with a risk of malware. These days, airports and other public venues have plenty of of A/C power outlets for people to use.
"In a bind" (Score:2)
... then you've not done your packing right for the trip. You anticipate being in a bind (will your plane land in the country you were planning on going to? One lightning strike later, you're in a country you didn't expect, and a 30 wait until your plane has been checked out. Ditto birdstrike. Both have happened to me. Thankfully, I managed to get a boat back home after the EyjafjallajÃkull [wikipedia.org] shutdown.) ... so of course you have a power pack in your carry-on baggage (if