Over the past days, the subject of “Juice Jacking” has been on the rise on news sources and social media articles. Juice Jacking is a somewhat difficult-to-implement, but theoretically possible attack whereby a “hacker” takes control of your mobile device just by you plugging your device into a public USB charging point.
On November 8th, Jackie Lacey – of the Los Angeles County District Attorney’s office published a warning on their website warning about the dangers of using public USB charging points.
The dangers (according to the publication) are that the charging point “may contain dangerous malware”. While this may be true, let’s look a little deeper.
Brief history
The term Juice Jacking was apparently first used by security journalist Brian Kregs. Also, in the same year, an off-shoot of the Defcon security conference, “The Wall of Sheep” installed “public” USB charging points which caused a message to be displayed on some of the plugged-in devices which cautioned the user as to the dangers of arbitrarily plugging in.
In 2013 Georgia Tech researchers demonstrated a device (“Mactans“) at DefCon which acted like a charging station, but would install malware on iPhone devices, exploiting the lack of protection mechanisms in iOS at the time.
In more recent times, the apparently “unstoppable” Apple iOS exploit – Checkm8 – appeared this year. This could conceivably be used as base exploit code for compromising your iPhone/iPad through a “dirty” charging point. And to be vendor-neutral, an Android hacking app “ATFuzzer” which exploits the modem component of an Android phone, was tested on a number of devices. Some just inconveniently crashed, but a select few models of Samsung phones did succumb to the attack and offered up their calls, texts and IMEI number for interception.
Am I safe?
Let’s talk about the likelihood of this happening to you. Well, if you have an ancient device and you’ve never updated the firmware/OS on it, then you are going to be more likely to succumb to an attack on your device. If you have a new one, and its fully up to date, probably less likely.
In any case, what you have to do to be compromised is actually plug your device into a USB socket which a hacker has been able to modify to turn it into a malware delivery platform.
So, what’s the likelihood of this attack stealing your phone data, emptying you bank account, stealing your dog and burning your house down? Pretty small in my opinion. The likelihood increases every time you plug into a different public USB charging port, and yet again if you don’t regularly install the updates available to your device.
How do I stay protected?
The common consensus of advice to protect your device from attack (and on which we subscribe to) is the following:
- Simply do not use public charging stations and carry a portable power bank around with you.
- Only use your own charging head – plug that into A/C like you would at home and use your own USB cable.
If you must plug in to an unknown USB port, then take precautions:
- When you plug into the charging point, turn off your device beforehand.
- Buy (and use) a “USB condom” – a device which plugs in-line with your device and cable which disconnects the data lines to the USB socket.
- Buy (and use) a charging-only USB cable which doesn’t have the necessary wiring to enable a data connection though the cable.
Speaking of USB cables – there may now be something else to worry about, compromised cables with built-in “BadUSB” chips. Only ever buy your cables from a reputable seller and buy a recognised brand: https://www.youtube.com/watch?v=YjQhS_95t7s
Sean Dewis
Senior Penetration Tester – iSTORM Solutions