Juice jacking

Last updated
USB chargers in a public bus DVERE MHD 028.jpg
USB chargers in a public bus
International AC outlet and USB charger in an airplane Alaska Airlines International Power Outlets.jpg
International AC outlet and USB charger in an airplane
North American AC outlet with USB charger Leviton NEMA 5-15R with USB.jpeg
North American AC outlet with USB charger

Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. [1] As of April 2023 there have been no credible reported cases of juice jacking outside of research efforts. [2]

Contents

Published research

The Wall of Sheep, an event at Defcon, has set up and allowed public access to an informational juice jacking kiosk each year at Defcon since 2011. Their intent is to bring awareness of this attack to the general public. Each of the informational juice jacking kiosks set up at the Wall of Sheep village have included a hidden CPU, which is used in some way to notify the user that they should not plug their devices in to public charging kiosks. The first informational juice jacking kiosk included a screen that would change from "Free charging station" to a warning message that the user "should not trust public charging stations with their devices". [3] One of the researchers who designed the charging station for the Wall of Sheep has given public presentations showcasing more malicious acts that could be taken via the kiosk, such as data theft, device tracking and information on compromising existing charging kiosks. [4]

Security researcher Kyle Osborn released an attack framework called P2P-ADB in 2012, which utilized USB On-The-Go to connect an attacker's phone to a target victim's device. This framework included examples and proof of concepts that would allow attackers to unlock locked phones, steal data from a phone including authentication keys granting the attacker access to the target device owner's Google Account. [5]

Security researcher graduates and students from Georgia Tech released a proof-of-concept malicious tool "Mactans" that utilized the USB charging port on Apple mobile devices at the 2013 Blackhat USA security briefings. They utilized inexpensive hardware components to construct a small sized malicious wall charger that could infect an iPhone with the then-current version of iOS with malicious software while it was being charged. The software could defeat any security measures built into iOS and mask itself in the same way Apple masks background processes in iOS. [6]

Security researchers Karsten Nohl and Jakob Lell from SRLabs published their research on BadUSB during the 2014 Blackhat USA security briefings. [7] [8] Their presentation on this attack mentions that a cellphone or tablet device charging on an infected computer would be one of the simplest method of propagating the BadUSB vulnerability. They include example malicious firmware code that would infect Android devices with BadUSB. [9]

Researchers at Aries Security and the Wall of Sheep later revisited the juice jacking concept in 2016. They set up a "Video Jacking" charging station, able to record the mirrored screen from phones plugged into their malicious charging station. Affected devices at the time included Android devices supporting SlimPort or MHL protocols over USB, as well as the most recent iPhone using an Apple Lightning charging cable connector. [10]

Researchers at Symantec disclosed their findings on an attack they called "Trustjacking" [11] during the 2018 RSA Conference. The researchers identified that when a user approves access for a computer on an iOS device over USB, that this trusted access level is also applied to the device's iTunes API, which is accessible over Wi-Fi. This would allow attackers access to an iOS device even after the user had unplugged the device from a malicious or infected USB-based charge source.

A researcher who goes by _MG_ released a USB cable implant they called the "O.MG Cable". [12] The O.MG Cable has a microcontroller embedded within the cable and a visual inspection would likely not detect a difference between the O.MG cable and a normal charging cable. The O.MG Cable allows attackers or red team penetration testers to remotely issue commands to the cable over Wi-Fi, and have those commands run on the host computer with the O.MG cable plugged in to it.

Brian Krebs was the first to report on this attack and he coined the term "juice jacking". After seeing the informational cell phone charging kiosk set up in the Wall of Sheep at DefCon 19 in August 2011, he wrote the first article on his security journalism site, "Krebs on Security". [13] The Wall of Sheep researchers, including Brian Markus, Joseph Mlodzianowski and Robert Rowley, designed the kiosk as an information tool to bring awareness of the potential attack vector and they have discussed, but not publicly released, tools to perform malicious actions on the charging devices. [4]

An episode of the hacking series Hak5 released in September 2012 showcased a number of attacks that can be conducted using an attack framework named P2P-ADB released by Kyle Osborn. The P2P-ADB attack framework discussed utilizes one phone to attack another phone over a USB On-the-Go connection. [14]

In late 2012, a document was released by the National Security Agency (NSA) warning government employees who travel about the threat of juice jacking. The document reminded readers to only use their personal power charging cables during overseas travel, to not charge in public kiosks, and to not utilize other people's computers for charging. [15] [16]

The Android Hackers Handbook released in March 2014 has dedicated sections discussing both juice jacking and the ADB-P2P framework. [17]

Juice jacking was the central focus on an episode of CSI: Cyber . Season 1: Episode 9, "L0M1S" aired in April 2015 [18]

In November 2019, the Los Angeles Deputy District Attorney issued a public service announcement warning about the risks of juice jacking during the upcoming holiday travel season. [19] This PSA came under scrutiny due to the fact that no public cases have come to light related to malicious charging kiosks found in public or any criminal cases being tried under the Los Angeles District Attorney's purview at the time of the PSA. [20]

On April 6, 2023, the FBI Denver X.com account published a warning that "bad actors have figured out ways to use public USB ports ..." [21] as if the attack vector were novel. At nearly the same time, the FCC updated a warning published in 2019 about multiple hacking attempts without citations. "In some cases, criminals may have intentionally left cables plugged in at charging stations." [22] This update, along with tweets on April 11 gave credence to social media posts and internet news articles that spread the information as fact. There were no actual instances cited of this threat being used in the wild. The original FBI tweet was not based on specific intelligence. [23]

Mitigation

A USB data blocker Condom USB de PortaPow.jpg
A USB data blocker

Already in 2013, both iOS and Android devices got updates to mitigate the threat.

Apple's iOS has taken multiple security measures to reduce the attack surface over USB including no longer allowing the device to automatically mount as a hard drive when plugged in over USB, as well as release security patches for vulnerabilities such as those exploited by Mactans. [6]

Android devices commonly prompt the user before allowing the device to be mounted as a hard drive when plugged in over USB. In release 4.2.2, Android implemented a whitelist verification step to prevent attackers from accessing the Android Debug Bridge without authorization. [24]

Mitigation by hardware

Juice jacking is not possible if a device is charged via a trusted AC adapter or battery backup device, or if using a USB cable with only power wires. For USB cables with data wires, a USB data blocker (sometimes called a USB condom) [25] can be connected between device and charging port to disallow a data connection. [26]

Related Research Articles

<span class="mw-page-title-main">USB</span> Standard for computer data connections

Universal Serial Bus (USB) is an industry standard that allows data exchange and delivery of power between many types of electronics. It specifies its architecture, in particular its physical interface, and communication protocols for data transfer and power delivery to and from hosts, such as personal computers, to and from peripheral devices, e.g. displays, keyboards, and mass storage devices, and to and from intermediate hubs, which multiply the number of a host's ports.

An over-the-air update, also known as over-the-air programming, is an update to an embedded system that is delivered through a wireless network, such as Wi-Fi or a cellular network. These embedded systems include mobile phones, tablets, set-top boxes, cars and telecommunications equipment. OTA updates for cars and internet of things devices can also be called firmware over-the-air (FOTA). Various components may be updated OTA, including the device's operating system, applications, configuration settings, or parameters like encryption keys.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

<span class="mw-page-title-main">USB On-The-Go</span> Specification for USB devices

USB On-The-Go is a specification first used in late 2001 that allows USB devices, such as tablets or smartphones, to also act as a host, allowing other USB devices, such as USB flash drives, digital cameras, mouse or keyboards, to be attached to them. Use of USB OTG allows devices to switch back and forth between the roles of host and device. For example, a smartphone may read from removable media as the host device, but present itself as a USB Mass Storage Device when connected to a host computer.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Kiosk software is the system and user interface software designed for an interactive kiosk or Internet kiosk enclosing the system in a way that prevents user interaction and activities on the device outside the scope of execution of the software. This way, the system replaces the look and feel of the system it runs over, allowing for customization and limited offering of ad-hoc services. KioskTotal Kiosk software locks down the application in order to protect the kiosk from users which is specially relevant under, but not only limited to, scenarios where the device is publicly accessed such libraries, vending machines or public transport. Kiosk software may offer remote monitoring to manage multiple kiosks from another location. An Email or text alert may be automatically sent from the kiosk for daily activity reports or generated in response to problems detected by the software. Other features allow for remote updates of the kiosk's content and the ability to upload data such as kiosk usage statistics. Kiosk software is used to manage a touchscreen, allowing users to touch the monitor screen to make selections. A virtual keyboard eliminates the need for a computer keyboard. Kiosk software enables digital signage devices to operate in a dedicated mode, ensuring that the devices run for a specified purpose, thus providing additional security compared to normal mode use.

<span class="mw-page-title-main">Charlie Miller (security researcher)</span> American computer security researcher

Charles Alfred Miller is an American computer security researcher with Cruise Automation. Prior to his current employment, he spent five years working for the National Security Agency and has worked for Uber.

<span class="mw-page-title-main">Samsung Kies</span> Application developed by Samsung

Samsung Kies is a freeware software application used to communicate between Windows or Macintosh operating systems, and Samsung mobile phone and tablet computer devices, usually using a USB connection. Samsung has released new software to replace Kies, named Samsung Smart Switch, which is mainly directed at migrating customers onto new Samsung devices. The name K.I.E.S. originated as an acronym for "Key Intuitive Easy System". After version 2.0, the name was shortened to "Kies".

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">HP TouchPad</span> Tablet computer

The HP TouchPad is a tablet computer that was developed and designed by Hewlett-Packard. The HP TouchPad was launched on July 1, 2011, in the United States; July 15 in Canada, United Kingdom, France, Germany; and August 15 in Australia.

<span class="mw-page-title-main">Android Debug Bridge</span> Tool for debugging Android-based devices

The Android Debug Bridge is a programming tool used for the debugging of Android-based devices. The daemon on the Android device connects with the server on the host PC over USB or TCP, which connects to the client that is used by the end-user over TCP. Made available as open-source software under the Apache License by Google since 2007, its features include a shell and the possibility to make backups. The adb software is available for Windows, Linux and macOS. It has been misused by botnets and other malware, for which mitigations were developed such as RSA authentication and device whitelisting.

<span class="mw-page-title-main">USB-C</span> 24-pin USB connector system

USB-C, or USB Type-C, is a 24-pin connector that supersedes previous USB connectors and can carry audio, video, and other data, to connect to monitors or external drives. It can also provide and receive power, to power, e.g., a laptop or a mobile phone. It is used not only by USB technology, but also by other protocols, including Thunderbolt, PCIe, HDMI, DisplayPort, and others. It is extensible to support future protocols.

<span class="mw-page-title-main">BadUSB</span> Cybersecurity attack using USB devices

BadUSB is a computer security attack using USB devices that are programmed with malicious software. For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. This attack works by programming the fake USB flash drive to emulate a keyboard. Once it is plugged into a computer, it is automatically recognized and allowed to interact with the computer. It can then initiate a series of keystrokes which open a command window and issue commands to download malware.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">Wileyfox</span> British smartphone manufacturer

Wileyfox is a British smartphone manufacturer founded in 2015. It went into administration on 6 February 2018. On 19 March 2018 it was announced that Santok Group had agreed a licensing deal covering sales of handsets in Europe and South Africa.

WebUSB is a JavaScript application programming interface (API) specification for securely providing access to USB devices from web applications.

<span class="mw-page-title-main">Samsung DeX</span> Feature that enables users to extend their phone to a desktop-like experience

Samsung DeX is a feature included on some high-end Samsung handheld devices that enables users to extend their device into a desktop-like experience by connecting a keyboard, mouse, and monitor. The name "DeX" is a contraction of "Desktop eXperience".

The initial versions of the USB standard specified connectors that were easy to use and that would have acceptable life spans; revisions of the standard added smaller connectors useful for compact portable devices. Higher-speed development of the USB standard gave rise to another family of connectors to permit additional data paths. All versions of USB specify cable properties; version 3.x cables include additional data paths. The USB standard included power supply to peripheral devices; modern versions of the standard extend the power delivery limits for battery charging and devices requiring up to 240 watts. USB has been selected as the standard charging format for many mobile phones, reducing the proliferation of proprietary chargers.

A microphone blocker is an adapter designed to prevent eavesdropping.

<span class="mw-page-title-main">AirTag</span> Apple tracking device for finding lost items

AirTag is a tracking device developed by Apple. AirTag is designed to act as a key finder, which helps people find personal objects such as keys, bags, apparel, small electronic devices and vehicles. To locate lost items, AirTags use Apple's crowdsourced Find My network, estimated in early 2021 to consist of approximately one billion devices worldwide that detect and anonymously report emitted Bluetooth signals. AirTags are compatible with any iPhone, iPad, or iPod Touch device capable of running iOS/iPadOS 14.5 or later, including iPhone 6S or later. Using the built-in U1 chip on iPhone 11 or later, users can more precisely locate items using ultra-wideband (UWB) technology. AirTag was announced on April 20, 2021, made available for pre-order on April 23, and released on April 30.

References

  1. Bernard, Francisco (April 22, 2024). "How this tiny gadget can protect your data from getting stolen". KCCI . Des Moines. Archived from the original on April 22, 2024. Retrieved April 22, 2024.
  2. Goodin, Dan (2023-05-01). "Those scary warnings of juice jacking in airports and hotels? They're nonsense". Ars Technica. Retrieved 2023-05-01.
  3. "Juice jacking", Wall of Sheep
  4. 1 2 Rowley, Robert, Juice jacking 101 via SlideShare
  5. Osborn, Kyle, "P2P-ADB", Github
  6. 1 2 Billy Lau; et al. (2013), Mactans: Injecting malware into iOS devices via malicious chargers (PDF), Black Hat Briefings {{citation}}: CS1 maint: location missing publisher (link)
  7. "BadUSB - On Accessories that Turn Evil", Black Hat Briefings USA 2014
  8. Nohl, Karsten; Lell, Jakob, BadUSB - On Accessories that Turn Evil, Blackhat USA 2014 via YouTube{{citation}}: CS1 maint: location (link)
  9. "Turning USB peripherals into BadUSB", SRLabs.de, archived from the original on 2016-04-18, retrieved 2015-09-28
  10. Brian Krebs (2016-08-11), "Road Warriors: Beware of 'Video Jacking'", Krebs on Security
  11. Iarchy, Roy (2018-04-18), iOS Trustjacking – A Dangerous New iOS Vulnerability
  12. O.MG Cable, 2019-12-31
  13. "Beware of Juice-Jacking", Krebs on Security, 2011-08-17
  14. "Hak5 1205 – Extreme Android and Google Auth Hacking with Kos", hak5.org, 2012, archived from the original on 2021-05-06, retrieved 2015-09-27
  15. "How American Spies Use iPhones and iPads", Fast Company , 2012-12-20
  16. Security Configuration Recommendations for Apple iOS 5 Devices (PDF), Mitigations Group of IAD, NSA, 2012-03-28, archived from the original (PDF) on 2016-03-05
  17. Drake, Joshua; et al. (March 2014). Android Hacker's Handbook. Wiley. p. 576. ISBN   978-1-118-60864-7.
  18. "CSI: Cyber Screencap Recap: Airplane Edition", Vulture Screencap Recap, 2015-04-30
  19. 'Juice Jacking' Criminals Use Public USB Chargers to Steal Data, L.A. County D.A. office, 2019-11-08, archived from the original on 2019-11-09
  20. "Is Juice-Jacking via Public USB Ports a Real Security Threat?", Snopes , 2019-11-18
  21. "FBI office warns against using public phone charging stations at airports or malls, citing malware risk", CBS News, 2023-04-12
  22. "'Juice Jacking': The Dangers of Public USB Charging Stations", FCC.gov, 2023-04-27
  23. "Actually, Charging Your Phone in a Public USB Port Is Fine – Here's how the FBI, the FCC, and hundreds of news organizations got this one wrong.", Slate.com, 2023-04-13
  24. "New Android 4.2.2 Feature: USB Debug Whitelist Prevents ADB-Savvy Thieves From Stealing Your Data (In Some Situations)", Android Police, 2013-02-12
  25. "'USB condom' to keep you safe while travelling". The Times of India . 2019-12-02. Retrieved 2021-11-03.
  26. "How A Data Blocker Can Protect Your Smartphone". Gizmodo Australia. 2021-01-11. Archived from the original on 2021-11-03. Retrieved 2021-11-03.