Jump to content

Juice jacking: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Alegh (talk | contribs)
"dubbed" is tabloid slang -- in an encyclopaedia, prefer neutral "called"
 
(26 intermediate revisions by 17 users not shown)
Line 3: Line 3:
[[File:Alaska Airlines International Power Outlets.jpg|thumb|International AC outlet and USB charger in an airplane]]
[[File:Alaska Airlines International Power Outlets.jpg|thumb|International AC outlet and USB charger in an airplane]]
[[File:Leviton NEMA 5-15R with USB.jpeg|thumb|North American AC outlet with USB charger]]
[[File:Leviton NEMA 5-15R with USB.jpeg|thumb|North American AC outlet with USB charger]]

'''Juice jacking''' is a theoretical type of compromise of devices like [[smart phone|phones]] and [[tablet computer|tablets]] which use the same cable for charging and [[data]] transfer, typically a [[USB]] cable. The goal of the attack is to either install [[malware]] on the device, or to surreptitiously copy potentially sensitive data. To date there have been no credible reported cases of juice jacking outside of research efforts.<ref>{{Cite web|date=2022-01-04|title=Cybersecurity Myths You Might Still Believe Debunked!|url=https://www.cxotoday.com/press-release/cybersecurity-myths-you-might-still-believe-debunked/|access-date=2022-01-05|website=CXOToday.com|language=en-US}}</ref>
'''Juice jacking''' is a theoretical type of compromise of devices like [[smartphone]]s and [[tablet computer|tablets]] which use the same cable for charging and [[data]] transfer, typically a [[USB]] cable. The goal of the attack is to either install [[malware]] on the device, or to surreptitiously copy potentially sensitive data.<ref>{{cite news |last=Bernard |first=Francisco |url=https://www.kcci.com/article/data-blocker-juice-jacking/60568770 |title=How this tiny gadget can protect your data from getting stolen |work=[[KCCI]] |location=[[Des Moines]] |date=April 22, 2024 |access-date=April 22, 2024 |archive-url=https://web.archive.org/web/20240422212717/https://www.kcci.com/article/data-blocker-juice-jacking/60568770 |archive-date=April 22, 2024}}</ref> {{As of |April 2023}} there have been no credible reported cases of juice jacking outside of research efforts.<ref>{{Cite web |last=Goodin |first=Dan |date=2023-05-01 |title=Those scary warnings of juice jacking in airports and hotels? They're nonsense |url=https://arstechnica.com/information-technology/2023/05/fearmongering-over-public-charging-stations-needs-to-stop-heres-why/ |access-date=2023-05-01 |website=Ars Technica |language=en-us}}</ref>


== Published research ==
== Published research ==
The Wall of Sheep, an event at [[DEF CON|Defcon]] has set up and allowed public access to an informational juice jacking kiosk each year at DefCon since 2011. Their intent is to bring awareness of this attack to the general public. Each of the informational juice jacking kiosks set up at the Wall of Sheep village have included a hidden CPU which is used in some way to notify the user that they should not plug their devices in to public charging kiosks. The first informational juice jacking kiosk included a screen which would change from "Free charging station" to a warning message that the user "should not trust public charging stations with their devices".<ref name="Wall of Sheep Juice Jacking">{{citation|website=Wall of Sheep|title=Juice jacking|url=http://www.wallofsheep.com/pages/juice}}</ref> One of the researchers who designed the charging station for the Wall of Sheep has given public presentations which showcase more malicious acts which could be taken via the kiosk, such as data theft, device tracking and information on compromising existing charging kiosks.<ref name="Juice jacking 101">{{citation|first=Robert|last=Rowley|title=Juice jacking 101|url=http://www.slideshare.net/RobertRowley/juice-jacking-101-23642005}}</ref>
The Wall of Sheep, an event at [[DEF CON|Defcon]], has set up and allowed public access to an informational juice jacking kiosk each year at Defcon since 2011. Their intent is to bring awareness of this attack to the general public. Each of the informational juice jacking kiosks set up at the Wall of Sheep village have included a hidden CPU, which is used in some way to notify the user that they should not plug their devices in to public charging kiosks. The first informational juice jacking kiosk included a screen that would change from "Free charging station" to a warning message that the user "should not trust public charging stations with their devices".<ref name="Wall of Sheep Juice Jacking">{{citation |website=Wall of Sheep |title=Juice jacking|url=https://www.wallofsheep.com/pages/juice}}</ref> One of the researchers who designed the charging station for the Wall of Sheep has given public presentations showcasing more malicious acts that could be taken via the kiosk, such as data theft, device tracking and information on compromising existing charging kiosks.<ref name="Juice jacking 101">{{citation |first=Robert |last=Rowley |title=Juice jacking 101 |url=https://www.slideshare.net/RobertRowley/juice-jacking-101-23642005 |via=[[SlideShare]]}}</ref>


Security researcher Kyle Osborn released an attack framework called P2P-ADB in 2012 which utilized [[USB On-The-Go]] to connect an attacker's phone to a target victim's device. This framework included examples and proof of concepts which would allow attackers to unlock locked phones, steal data from a phone including authentication keys granting the attacker access to the target device owner's Google account.<ref name="p2p-adb">{{citation|first=Kyle|last=Osborn|title=P2P-ADB|url=https://github.com/kosborn/p2p-adb/}}</ref>
Security researcher Kyle Osborn released an attack framework called P2P-ADB in 2012, which utilized [[USB On-The-Go]] to connect an attacker's phone to a target victim's device. This framework included examples and [[proof of concept]]s that would allow attackers to unlock locked phones, steal data from a phone including authentication keys granting the attacker access to the target device owner's [[Google Account]].<ref name="p2p-adb">{{citation |first=Kyle |last=Osborn |title=P2P-ADB |url=https://github.com/kosborn/p2p-adb/ |website=Github}}</ref>


Security researcher graduates and students from the Georgia Institute of Technology (Georgia Tech) released a proof of concept malicious tool "Mactans" which utilized the USB charging port on [[Apple Inc.|Apple]] mobile devices at the 2013 [[Black Hat Briefings|Blackhat USA]] security briefings. They utilized inexpensive hardware components to construct a small sized malicious wall charger which could infect an [[iPhone]] with the then-current version of [[iOS]] with malicious software while it was being charged. The software could defeat any security measures built into iOS and mask itself in the same way Apple masks background processes in iOS.<ref name="Mactans">{{citation|title=BlackHat Briefings 2013 Mactans|url=https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf}}</ref>
Security researcher graduates and students from [[Georgia Tech]] released a proof-of-concept malicious tool "Mactans" that utilized the USB charging port on [[Apple Inc.|Apple]] mobile devices at the 2013 [[Black Hat Briefings|Blackhat USA]] security briefings. They utilized inexpensive hardware components to construct a small sized malicious wall charger that could infect an [[iPhone]] with the then-current version of [[iOS]] with malicious software while it was being charged. The software could defeat any security measures built into iOS and mask itself in the same way Apple masks background processes in iOS.<ref name="Mactans">{{citation |author=Billy Lau |display-authors=etal |title=Mactans: Injecting malware into iOS devices via malicious chargers |place=[[Black Hat Briefings]] |year=2013 |url=https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf }}</ref>


Security researchers Karsten Nohl and Jakob Lell from SRLabs published their research on [[BadUSB]] during the 2014 Blackhat USA security briefings.<ref name="BadUSB at BlackHat">{{citation|title=BadUSB - On Accessories That Turn Evil|url=https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil|website=BlackHat Briefings USA 2014}}</ref><ref name="BadUSB Presentation">{{citation|first1=Karsten|last1=Nohl|first2=Jakob|last2=Lell|title=BadUSB Presentation at Blackhat USA 2014|url=https://www.youtube.com/watch?v=nuruzFqMgIw}}</ref> Their presentation on this attack mentions that a cellphone or tablet device charging on an infected computer would be one of the simplest method of propagating the BadUSB vulnerability. They include example malicious firmware code that would infect Android devices with BadUSB.<ref name="BadUSB">{{citation|title=Turning USB peripherals into BadUSB|url=https://srlabs.de/badusb/|website=SRLabs.de|access-date=2015-09-28|archive-date=2016-04-18|archive-url=https://web.archive.org/web/20160418134155/https://srlabs.de/badusb/|url-status=dead}}</ref>
Security researchers Karsten Nohl and Jakob Lell from SRLabs published their research on [[BadUSB]] during the 2014 Blackhat USA security briefings.<ref name="BadUSB at BlackHat">{{citation |title=BadUSB - On Accessories that Turn Evil |url=https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil |website=[[Black Hat Briefings]] USA 2014}}</ref><ref name="BadUSB Presentation">{{citation |first1=Karsten |last1=Nohl |first2=Jakob |last2=Lell |title=BadUSB - On Accessories that Turn Evil |place=Blackhat USA 2014 |url=https://www.youtube.com/watch?v=nuruzFqMgIw |via=YouTube}}</ref> Their presentation on this attack mentions that a cellphone or tablet device charging on an infected computer would be one of the simplest method of propagating the BadUSB vulnerability. They include example malicious firmware code that would infect Android devices with BadUSB.<ref name="BadUSB">{{citation |title=Turning USB peripherals into BadUSB |url=https://srlabs.de/badusb/|website=SRLabs.de |access-date=2015-09-28|archive-date=2016-04-18 |archive-url=https://web.archive.org/web/20160418134155/https://srlabs.de/badusb/ |url-status=dead}}</ref>


Researchers at Aries Security and the Wall of Sheep later revisited the juice jacking concept in 2016. They set up a "Video Jacking" charging station which was able to record the mirrored screen from phones plugged into their malicious charging station. Affected devices at the time included Android devices supporting SlimPort or MHL protocols over USB, as well as the most recent iPhone using a lightning charge cable connector.<ref name="Video jacking">{{citation|website=Krebs on Security|title=Road Warriors: Beware of 'Video Jacking'|url=http://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/}}</ref>
Researchers at Aries Security and the Wall of Sheep later revisited the juice jacking concept in 2016. They set up a "Video Jacking" charging station, able to record the mirrored screen from phones plugged into their malicious charging station. Affected devices at the time included Android devices supporting SlimPort or MHL protocols over USB, as well as the most recent iPhone using an Apple Lightning charging cable connector.<ref name="Video jacking">{{citation |author=Brian Krebs |author-link=Brian Krebs |website=Krebs on Security |title=Road Warriors: Beware of 'Video Jacking' |url=https://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/ |date=2016-08-11}}</ref>


Researchers at [[NortonLifeLock|Symantec]] disclosed their findings on an attack they dubbed "Trustjacking"<ref name="Trustjacking">{{citation|first=Roy|last=Iarchy|title=iOS Trustjacking|url=https://www.symantec.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability}}</ref> during the 2018 [[RSA Conference]]. The researchers identified that when a user approves access for a computer on an iOS device over USB, that this trusted access level is also applied to the devices's iTunes API which is accessible over wifi. This would allow attackers access to an iOS device even after the user has unplugged the device from a malicious or infected USB based charge source.
Researchers at [[Gen Digital|Symantec]] disclosed their findings on an attack they called "Trustjacking"<ref name="Trustjacking">{{citation |first=Roy |last=Iarchy |title=iOS Trustjacking – A Dangerous New iOS Vulnerability |url=https://symantec-enterprise-blogs.security.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability |date=2018-04-18}}</ref> during the 2018 [[RSA Conference]]. The researchers identified that when a user approves access for a computer on an iOS device over USB, that this trusted access level is also applied to the device's iTunes API, which is accessible over [[Wi-Fi]]. This would allow attackers access to an iOS device even after the user had unplugged the device from a malicious or infected USB-based charge source.


A researcher who goes by _MG_ released a USB cable implant they dubbed the "O.MG Cable".<ref name="O.MG Cable">{{citation|title=O.MG Cable|url=https://mg.lol/blog/omg-cable/}}</ref> The O.MG Cable has a micro-controller embedded within the cable itself, a visual inspection would likely not detect a difference between the O.MG cable and a normal charging cable. The O.MG Cable allows attackers or red team penetration testers to remotely issue commands to the cable over wifi, and have those commands run on the host computer with the O.MG cable plugged in to it.
A researcher who goes by _MG_ released a USB cable implant they called the "O.MG Cable".<ref name="O.MG Cable">{{citation |title=O.MG Cable |url=https://mg.lol/blog/omg-cable/ |date=2019-12-31}}</ref> The O.MG Cable has a microcontroller embedded within the cable and a visual inspection would likely not detect a difference between the O.MG cable and a normal charging cable. The O.MG Cable allows attackers or red team penetration testers to remotely issue commands to the cable over Wi-Fi, and have those commands run on the host computer with the O.MG cable plugged in to it.


== Public warnings and popular culture ==
== Public warnings and popular culture ==
[[Brian Krebs]] was the first to report on this attack and coin the term "juice jacking." After seeing the informational cell phone charging kiosk set up in the Wall of Sheep at DefCon 19 in August 2011, he wrote the first article on his security journalism site [[Krebs on Security]].<ref name="Krebs on Security">{{citation|website=Krebs on Security|title=Beware of Juice Jacking?|url=
[[Brian Krebs]] was the first to report on this attack and he coined the term "juice jacking". After seeing the informational cell phone charging kiosk set up in the Wall of Sheep at DefCon 19 in August 2011, he wrote the first article on his security journalism site, "Krebs on Security".<ref name="Krebs on Security">{{citation |website=Krebs on Security |title=Beware of Juice-Jacking |url=https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/ |date=2011-08-17}}</ref> The Wall of Sheep researchers, including Brian Markus, Joseph Mlodzianowski and Robert Rowley, designed the kiosk as an information tool to bring awareness of the potential attack vector and they have discussed, but not publicly released, tools to perform malicious actions on the charging devices.<ref name="Juice jacking 101" />
http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/}}</ref> The Wall of Sheep researchers—including Brian Markus, Joseph Mlodzianowski, and Robert Rowley—designed the kiosk as an information tool to bring awareness to the potential attack vector, and they have discussed, but not released, tools publicly which perform malicious actions on the charging devices.<ref name="Juice jacking 101" />


An episode of the hacking series Hak5 released in September 2012 showcased a number of attacks which can be conducted using an attack framework named P2P-ADB released by Kyle Osborn. The P2P-ADB attack framework discussed utilizes one phone to attack another phone over a [[USB On-The-Go|USB On-the-Go]] connection.<ref name="Kyle Osborn Hak5">{{citation|title=P2P-ADB on Hak5|url=https://hak5.org/episodes/hak5-1205|access-date=2015-09-27|archive-date=2021-05-06|archive-url=https://web.archive.org/web/20210506223054/http://www.hak5.org/episodes/hak5-1205|url-status=dead}}</ref>
An episode of the hacking series Hak5 released in September 2012 showcased a number of attacks that can be conducted using an attack framework named P2P-ADB released by Kyle Osborn. The P2P-ADB attack framework discussed utilizes one phone to attack another phone over a [[USB On-The-Go|USB On-the-Go]] connection.<ref name="Kyle Osborn Hak5">{{citation |title=Hak5 1205 – Extreme Android and Google Auth Hacking with Kos |url=https://hak5.org/episodes/hak5-1205 |website=hak5.org |year=2012 |access-date=2015-09-27 |archive-date=2021-05-06 |archive-url=https://web.archive.org/web/20210506223054/http://www.hak5.org/episodes/hak5-1205 |url-status=dead}}</ref>


In late 2012, a document was released by the [[NSA]] warning government employees who travel about the threat of juice jacking. The document reminded readers to only use their personal power charging cables during overseas travel, to not charge in public kiosks, and to not utilize other people's computers for charging.<ref name="Fast Company">{{citation|url=http://www.fastcompany.com/3004176/how-americas-spies-use-iphones-and-ipads|title=How American Spies Use iPhones and iPads|website=Fast Company}}</ref>
In late 2012, a document was released by the [[National Security Agency]] (NSA) warning government employees who travel about the threat of juice jacking. The document reminded readers to only use their personal power charging cables during overseas travel, to not charge in public kiosks, and to not utilize other people's computers for charging.<ref name="Fast Company">{{citation |url=http://www.fastcompany.com/3004176/how-americas-spies-use-iphones-and-ipads |title=How American Spies Use iPhones and iPads |date=2012-12-20 |website=[[Fast Company]]}}</ref><ref name="Security Configuration Recommendations for Apple iOS 5 Devices. NSA Mitigations Group">{{citation |title=Security Configuration Recommendations for Apple iOS 5 Devices |url=https://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf |date=2012-03-28 |publisher=Mitigations Group of IAD, [[NSA]] |archive-url=https://web.archive.org/web/20160305084127/https://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf |url-status=dead |archive-date=2016-03-05}}</ref>
<ref name="Security Configuration Recommendations for Apple iOS 5 Devices. NSA Mitigations Group">{{citation|title="Security Configuration Recommendations for Apple iOS 5 Devices. NSA Mitigations Group"|url=https://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf|archive-url=https://web.archive.org/web/20160305084127/https://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf|url-status=dead|archive-date=2016-03-05}}</ref>


The ''Android Hackers Handbook'' released in March 2014 has dedicated sections discussing both juice jacking and the ADB-P2P framework.<ref name="Android Hackers Handbook">{{cite book |first1=Joshua|last1=Drake|first2=Zach|last2=Lanier|first3=Collin|last3=Mulliner|first4=Pau|last4=Fora|first5=Stephen|last5=Ridley|first6=Georg|last6=Wicherski|date=March 2014|title=Android Hacker's Handbook|url=http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html|publisher=Wiley|page=576|isbn=978-1-118-60864-7}}</ref>
The ''Android Hackers Handbook'' released in March 2014 has dedicated sections discussing both juice jacking and the ADB-P2P framework.<ref name="Android Hackers Handbook">{{cite book |first1=Joshua |last1=Drake |first2=Zach |last2=Lanier |first3=Collin |last3=Mulliner |first4=Pau|last4=Fora |first5=Stephen |last5=Ridley |first6=Georg |last6=Wicherski |display-authors=1 |date=March 2014 |title=Android Hacker's Handbook |url=http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html |publisher=Wiley |page=576 |isbn=978-1-118-60864-7}}</ref>


Juice jacking was the central focus on an episode of ''[[CSI: Cyber]]''. Season 1: Episode 9, "L0M1S" aired in April 2015<ref name="CSI:Cyber Episode L0M1S">{{citation|title=CSI:Cyber L0M1S|url=http://www.vulture.com/2015/04/csi-cyber-screencap-recap-airplane-edition.html|website=Vulture Screencap Recap}}</ref>
Juice jacking was the central focus on an episode of ''[[CSI: Cyber]]''. Season 1: Episode 9, "L0M1S" aired in April 2015<ref name="CSI:Cyber Episode L0M1S">{{citation |title=CSI: Cyber Screencap Recap: Airplane Edition |url=https://www.vulture.com/2015/04/csi-cyber-screencap-recap-airplane-edition.html |website=[[Vulture (website)|Vulture]] Screencap Recap |date=2015-04-30}}</ref>


In November 2019, the Los Angeles Deputy District Attorney issued a public service announcement warning about the risks of juice jacking during the upcoming holiday travel season.<ref name="LADA Juice Jacking PSA">{{citation|title=LADA Juice Jacking PSA|url=http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff}}</ref> This PSA came under scrutiny due to the fact that no public cases have come to light related to malicious charging kiosks found in public or any criminal cases being tried under the Los Angeles District Attorney's purview at the time of the PSA.<ref name="Snopes on Juice Jacking">{{citation|url=https://www.snopes.com/fact-check/juice-jacking-real-security-issue/|website=Snopes|title=Is Juice-Jacking via Public USB Ports a Real Security Threat?}}</ref>
In November 2019, the Los Angeles Deputy District Attorney issued a public service announcement warning about the risks of juice jacking during the upcoming holiday travel season.<ref name="LADA Juice Jacking PSA">{{citation |title='Juice Jacking' Criminals Use Public USB Chargers to Steal Data |url=http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff |date=2019-11-08 |publisher=L.A. County D.A. office |archive-url=https://web.archive.org/web/20191109172329/http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff |archive-date=2019-11-09 }}</ref> This PSA came under scrutiny due to the fact that no public cases have come to light related to malicious charging kiosks found in public or any criminal cases being tried under the Los Angeles District Attorney's purview at the time of the PSA.<ref name="Snopes on Juice Jacking">{{citation |url=https://www.snopes.com/fact-check/juice-jacking-real-security-issue/ |website=[[Snopes]] |title=Is Juice-Jacking via Public USB Ports a Real Security Threat? |date=2019-11-18}}</ref>


On April 6, 2023, the FBI Denver Twitter account published a warning that "bad actors have figured out ways to use public USB ports..."<ref name="FBI Denver tweet">{{citation|url=https://www.cbsnews.com/news/fbi-warns-against-juice-jacking-what-is-it/|website=CBS News|title=FBI office warns against using public phone charging stations at airports or malls, citing malware risk}}</ref> as if the attack vector were novel. At nearly the same time, the FCC published a warning about multiple hacking attempts without citations. "In some cases, criminals may have intentionally left cables plugged in at charging stations." <ref name="FCC warning">{{citation|url=https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations|website=FCC.gov|title='Juice Jacking': The Dangers of Public USB Charging Stations}}</ref> Social media posts and internet news article spread the information as fact. There were no actual instances cited of this threat being used in the wild.
On April 6, 2023, the FBI Denver X.com account published a warning that "bad actors have figured out ways to use public USB ports&nbsp;..."<ref name="FBI Denver tweet">{{citation |url=https://www.cbsnews.com/news/fbi-warns-against-juice-jacking-what-is-it/ |website=CBS News |title=FBI office warns against using public phone charging stations at airports or malls, citing malware risk |date=2023-04-12}}</ref> as if the attack vector were novel. At nearly the same time, the FCC updated a warning published in 2019 about multiple hacking attempts without citations. "In some cases, criminals may have intentionally left cables plugged in at charging stations."<ref name="FCC warning">{{citation |url=https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations |website=FCC.gov |title='Juice Jacking': The Dangers of Public USB Charging Stations |date=2023-04-27}}</ref> This update, along with tweets on April 11 gave credence to social media posts and internet news articles that spread the information as fact. There were no actual instances cited of this threat being used in the wild. The original FBI tweet was not based on specific intelligence.<ref name="Slate interviews">{{citation |url=https://slate.com/technology/2023/04/free-public-phone-chargers-fbi-warning-bad-actors-threat-bogus-debunked.html |website=Slate.com |title=Actually, Charging Your Phone in a Public USB Port Is Fine – Here's how the FBI, the FCC, and hundreds of news organizations got this one wrong. |date=2023-04-13}}</ref>


== Mitigation ==
== Mitigation ==
[[File:Condom USB de PortaPow.jpg|thumb|A USB data blocker]]
[[File:Condom USB de PortaPow.jpg|thumb|A USB data blocker]]

Already in 2013, both iOS and Android devices got updates to mitigate the threat.

Apple's [[iOS]] has taken multiple security measures to reduce the attack surface over USB including no longer allowing the device to automatically mount as a hard drive when plugged in over USB, as well as release security patches for vulnerabilities such as those exploited by Mactans.<ref name="Mactans" />
Apple's [[iOS]] has taken multiple security measures to reduce the attack surface over USB including no longer allowing the device to automatically mount as a hard drive when plugged in over USB, as well as release security patches for vulnerabilities such as those exploited by Mactans.<ref name="Mactans" />


Android devices commonly prompt the user before allowing the device to be mounted as a hard drive when plugged in over USB. Since release 4.2.2, Android has implemented a whitelist verification step to prevent attackers from accessing the [[Android Debug Bridge]] without authorization.<ref name="adb whitelist">{{citation|url=http://www.androidpolice.com/2013/02/12/new-android-4-2-2-feature-usb-debug-whitelist-prevents-adb-savvy-thieves-from-stealing-your-data-in-some-situations/|website=Android Police|title=New Android 4.2.2 Feature USB Debug Whitelist}}</ref>
Android devices commonly prompt the user before allowing the device to be mounted as a hard drive when plugged in over USB. In release 4.2.2, Android implemented a whitelist verification step to prevent attackers from accessing the [[Android Debug Bridge]] without authorization.<ref name="adb whitelist">{{citation |url=http://www.androidpolice.com/2013/02/12/new-android-4-2-2-feature-usb-debug-whitelist-prevents-adb-savvy-thieves-from-stealing-your-data-in-some-situations/|website=Android Police |title=New Android 4.2.2 Feature: USB Debug Whitelist Prevents ADB-Savvy Thieves From Stealing Your Data (In Some Situations) |date=2013-02-12}}</ref>


=== Mitigation by hardware ===
Juice jacking is not possible if a device is charged via a trusted [[AC adapter]], battery backup device, or by utilizing a USB cable with only power wires and no data wires present. Similarly, a USB data blocker (sometimes referred to as a USB Condom)<ref>{{Cite web|date=December 2, 2019|title='USB condom' to keep you safe while travelling|url=https://timesofindia.indiatimes.com/gadgets-news/usb-condom-to-keep-you-safe-while-travelling/articleshow/72335421.cms|access-date=2021-11-03|website=The Times of India|language=en}}</ref> can be connected between a device and charging port to disallow a data connection.<ref>{{Cite web|date=2021-01-11|title=How A Data Blocker Can Protect Your Smartphone|url=https://www.gizmodo.com.au/2021/01/what-is-a-data-blocker-do-you-need-one-for-your-phone/|access-date=2021-11-03|website=Gizmodo Australia|language=en-AU}}</ref>
Juice jacking is not possible if a device is charged via a trusted [[AC adapter]] or battery backup device, or if using a USB cable with only power wires. For USB cables with data wires, a USB data blocker (sometimes called a USB condom)<ref>{{Cite web |title='USB condom' to keep you safe while travelling |url=https://timesofindia.indiatimes.com/gadgets-news/usb-condom-to-keep-you-safe-while-travelling/articleshow/72335421.cms |date=2019-12-02 |access-date=2021-11-03 |website=[[The Times of India]] |language=en}}</ref> can be connected between device and charging port to disallow a data connection.<ref>{{Cite web |title=How A Data Blocker Can Protect Your Smartphone |url=https://www.gizmodo.com.au/2021/01/what-is-a-data-blocker-do-you-need-one-for-your-phone/ |date=2021-01-11 |access-date=2021-11-03 |website=[[Gizmodo]] Australia |language=en-AU |archive-url=https://web.archive.org/web/20211103094055/https://www.gizmodo.com.au/2021/01/what-is-a-data-blocker-do-you-need-one-for-your-phone/ |archive-date=2021-11-03}}</ref>


==References==
== References ==
<references />
<references />

{{USB}}

[[Category:Mobile security]]
[[Category:Mobile security]]

Latest revision as of 12:56, 16 November 2024

USB chargers in a public bus
International AC outlet and USB charger in an airplane
North American AC outlet with USB charger

Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data.[1] As of April 2023 there have been no credible reported cases of juice jacking outside of research efforts.[2]

Published research

[edit]

The Wall of Sheep, an event at Defcon, has set up and allowed public access to an informational juice jacking kiosk each year at Defcon since 2011. Their intent is to bring awareness of this attack to the general public. Each of the informational juice jacking kiosks set up at the Wall of Sheep village have included a hidden CPU, which is used in some way to notify the user that they should not plug their devices in to public charging kiosks. The first informational juice jacking kiosk included a screen that would change from "Free charging station" to a warning message that the user "should not trust public charging stations with their devices".[3] One of the researchers who designed the charging station for the Wall of Sheep has given public presentations showcasing more malicious acts that could be taken via the kiosk, such as data theft, device tracking and information on compromising existing charging kiosks.[4]

Security researcher Kyle Osborn released an attack framework called P2P-ADB in 2012, which utilized USB On-The-Go to connect an attacker's phone to a target victim's device. This framework included examples and proof of concepts that would allow attackers to unlock locked phones, steal data from a phone including authentication keys granting the attacker access to the target device owner's Google Account.[5]

Security researcher graduates and students from Georgia Tech released a proof-of-concept malicious tool "Mactans" that utilized the USB charging port on Apple mobile devices at the 2013 Blackhat USA security briefings. They utilized inexpensive hardware components to construct a small sized malicious wall charger that could infect an iPhone with the then-current version of iOS with malicious software while it was being charged. The software could defeat any security measures built into iOS and mask itself in the same way Apple masks background processes in iOS.[6]

Security researchers Karsten Nohl and Jakob Lell from SRLabs published their research on BadUSB during the 2014 Blackhat USA security briefings.[7][8] Their presentation on this attack mentions that a cellphone or tablet device charging on an infected computer would be one of the simplest method of propagating the BadUSB vulnerability. They include example malicious firmware code that would infect Android devices with BadUSB.[9]

Researchers at Aries Security and the Wall of Sheep later revisited the juice jacking concept in 2016. They set up a "Video Jacking" charging station, able to record the mirrored screen from phones plugged into their malicious charging station. Affected devices at the time included Android devices supporting SlimPort or MHL protocols over USB, as well as the most recent iPhone using an Apple Lightning charging cable connector.[10]

Researchers at Symantec disclosed their findings on an attack they called "Trustjacking"[11] during the 2018 RSA Conference. The researchers identified that when a user approves access for a computer on an iOS device over USB, that this trusted access level is also applied to the device's iTunes API, which is accessible over Wi-Fi. This would allow attackers access to an iOS device even after the user had unplugged the device from a malicious or infected USB-based charge source.

A researcher who goes by _MG_ released a USB cable implant they called the "O.MG Cable".[12] The O.MG Cable has a microcontroller embedded within the cable and a visual inspection would likely not detect a difference between the O.MG cable and a normal charging cable. The O.MG Cable allows attackers or red team penetration testers to remotely issue commands to the cable over Wi-Fi, and have those commands run on the host computer with the O.MG cable plugged in to it.

[edit]

Brian Krebs was the first to report on this attack and he coined the term "juice jacking". After seeing the informational cell phone charging kiosk set up in the Wall of Sheep at DefCon 19 in August 2011, he wrote the first article on his security journalism site, "Krebs on Security".[13] The Wall of Sheep researchers, including Brian Markus, Joseph Mlodzianowski and Robert Rowley, designed the kiosk as an information tool to bring awareness of the potential attack vector and they have discussed, but not publicly released, tools to perform malicious actions on the charging devices.[4]

An episode of the hacking series Hak5 released in September 2012 showcased a number of attacks that can be conducted using an attack framework named P2P-ADB released by Kyle Osborn. The P2P-ADB attack framework discussed utilizes one phone to attack another phone over a USB On-the-Go connection.[14]

In late 2012, a document was released by the National Security Agency (NSA) warning government employees who travel about the threat of juice jacking. The document reminded readers to only use their personal power charging cables during overseas travel, to not charge in public kiosks, and to not utilize other people's computers for charging.[15][16]

The Android Hackers Handbook released in March 2014 has dedicated sections discussing both juice jacking and the ADB-P2P framework.[17]

Juice jacking was the central focus on an episode of CSI: Cyber. Season 1: Episode 9, "L0M1S" aired in April 2015[18]

In November 2019, the Los Angeles Deputy District Attorney issued a public service announcement warning about the risks of juice jacking during the upcoming holiday travel season.[19] This PSA came under scrutiny due to the fact that no public cases have come to light related to malicious charging kiosks found in public or any criminal cases being tried under the Los Angeles District Attorney's purview at the time of the PSA.[20]

On April 6, 2023, the FBI Denver X.com account published a warning that "bad actors have figured out ways to use public USB ports ..."[21] as if the attack vector were novel. At nearly the same time, the FCC updated a warning published in 2019 about multiple hacking attempts without citations. "In some cases, criminals may have intentionally left cables plugged in at charging stations."[22] This update, along with tweets on April 11 gave credence to social media posts and internet news articles that spread the information as fact. There were no actual instances cited of this threat being used in the wild. The original FBI tweet was not based on specific intelligence.[23]

Mitigation

[edit]
A USB data blocker

Already in 2013, both iOS and Android devices got updates to mitigate the threat.

Apple's iOS has taken multiple security measures to reduce the attack surface over USB including no longer allowing the device to automatically mount as a hard drive when plugged in over USB, as well as release security patches for vulnerabilities such as those exploited by Mactans.[6]

Android devices commonly prompt the user before allowing the device to be mounted as a hard drive when plugged in over USB. In release 4.2.2, Android implemented a whitelist verification step to prevent attackers from accessing the Android Debug Bridge without authorization.[24]

Mitigation by hardware

[edit]

Juice jacking is not possible if a device is charged via a trusted AC adapter or battery backup device, or if using a USB cable with only power wires. For USB cables with data wires, a USB data blocker (sometimes called a USB condom)[25] can be connected between device and charging port to disallow a data connection.[26]

References

[edit]
  1. ^ Bernard, Francisco (April 22, 2024). "How this tiny gadget can protect your data from getting stolen". KCCI. Des Moines. Archived from the original on April 22, 2024. Retrieved April 22, 2024.
  2. ^ Goodin, Dan (2023-05-01). "Those scary warnings of juice jacking in airports and hotels? They're nonsense". Ars Technica. Retrieved 2023-05-01.
  3. ^ "Juice jacking", Wall of Sheep
  4. ^ a b Rowley, Robert, Juice jacking 101 – via SlideShare
  5. ^ Osborn, Kyle, "P2P-ADB", Github
  6. ^ a b Billy Lau; et al. (2013), Mactans: Injecting malware into iOS devices via malicious chargers (PDF), Black Hat Briefings{{citation}}: CS1 maint: location missing publisher (link)
  7. ^ "BadUSB - On Accessories that Turn Evil", Black Hat Briefings USA 2014
  8. ^ Nohl, Karsten; Lell, Jakob, BadUSB - On Accessories that Turn Evil, Blackhat USA 2014 – via YouTube{{citation}}: CS1 maint: location (link)
  9. ^ "Turning USB peripherals into BadUSB", SRLabs.de, archived from the original on 2016-04-18, retrieved 2015-09-28
  10. ^ Brian Krebs (2016-08-11), "Road Warriors: Beware of 'Video Jacking'", Krebs on Security
  11. ^ Iarchy, Roy (2018-04-18), iOS Trustjacking – A Dangerous New iOS Vulnerability
  12. ^ O.MG Cable, 2019-12-31
  13. ^ "Beware of Juice-Jacking", Krebs on Security, 2011-08-17
  14. ^ "Hak5 1205 – Extreme Android and Google Auth Hacking with Kos", hak5.org, 2012, archived from the original on 2021-05-06, retrieved 2015-09-27
  15. ^ "How American Spies Use iPhones and iPads", Fast Company, 2012-12-20
  16. ^ Security Configuration Recommendations for Apple iOS 5 Devices (PDF), Mitigations Group of IAD, NSA, 2012-03-28, archived from the original (PDF) on 2016-03-05
  17. ^ Drake, Joshua; et al. (March 2014). Android Hacker's Handbook. Wiley. p. 576. ISBN 978-1-118-60864-7.
  18. ^ "CSI: Cyber Screencap Recap: Airplane Edition", Vulture Screencap Recap, 2015-04-30
  19. ^ 'Juice Jacking' Criminals Use Public USB Chargers to Steal Data, L.A. County D.A. office, 2019-11-08, archived from the original on 2019-11-09
  20. ^ "Is Juice-Jacking via Public USB Ports a Real Security Threat?", Snopes, 2019-11-18
  21. ^ "FBI office warns against using public phone charging stations at airports or malls, citing malware risk", CBS News, 2023-04-12
  22. ^ "'Juice Jacking': The Dangers of Public USB Charging Stations", FCC.gov, 2023-04-27
  23. ^ "Actually, Charging Your Phone in a Public USB Port Is Fine – Here's how the FBI, the FCC, and hundreds of news organizations got this one wrong.", Slate.com, 2023-04-13
  24. ^ "New Android 4.2.2 Feature: USB Debug Whitelist Prevents ADB-Savvy Thieves From Stealing Your Data (In Some Situations)", Android Police, 2013-02-12
  25. ^ "'USB condom' to keep you safe while travelling". The Times of India. 2019-12-02. Retrieved 2021-11-03.
  26. ^ "How A Data Blocker Can Protect Your Smartphone". Gizmodo Australia. 2021-01-11. Archived from the original on 2021-11-03. Retrieved 2021-11-03.