• Ron Kulik

Juice Jacking - Using Free public Charging Stations

We put a man on the moon, we have human beings literally living in space aboard the International Space Station, and yet my cell phone can't hold a charge all day... WTF?

Do I spend too much time on Facebook, Twitter? To many selfies? I don't know. What I do know is I am constantly in need of "juice". Plug it in my car, plug it in at my desk constantly having to plug in my phone for juice.

Now I have an Android phone, a Samsung Galaxy 20 Ultra to be more specific, but the reality is, regardless of the hardware you have, be it an IPhone, Android, and for grins, I'll include Windows phones and Blackberry phones, the reality is, when you need juice, you need juice.

OK What is Juice Jacking?

Regardless of your mobile device, power and data still flow over the same cable. A feature shared by all mobile devices. Even if you are using Apple's proprietary cable or the standard USB mini.

This offers an approach for a malicious user to gain access to your mobile device during the charging process; leveraging the USB data/power cable to gain access the device’s data and/or inject malicious code onto the device this is known as Juice Jacking.

This is by no means a new thing. In fact at BlackHat 2013 security conference, security researchers Billy Lau, YeongJin Jang, and Chengyu Song presented “MACTANS: Injecting Malware Into iOS Devices Via Malicious Chargers”, and here is an excerpt from their presentation abstract:

In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.
To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish.

Should I be concerned?

Yes! Extremely! No seriously Juice Jacking is still pretty theoretical. And the chance the USB port you're plugging into at the coffee shop or airport are anything more than just that, a charging port. But as with any security risk, you should be aware of the possible threat.

How to protect yourself from Juice Jacking

Even though Juice Jacking is not as a serious threat as a lost or stolen device or downloading malicious software from an app, precautions are still strongly recommended.

Keep your Device Charged: OK seems obvious but not always practical. Keep your phone charged before you head out so using a foreign USB port to charge your phone isn't necessary.

Carry A Portable USB Battery Charger: There are a number of portable battery chargers on the market. Find one that is small enough to carry in your pocket or purse that can charge your phone quickly and securely.

Use your own power charger: Just bring your mobile devices charger. Or better yet buy a second smaller one, that you can use to plug in to any power outlet and easily carny in your bag or purse.

Turn Off Your Phone: So if you must use a public USB port in a kiosk or USB hub, power your phone off before connecting. You will need to check with your phone manufacturer as some phones even powered off still have an active USB circut.

Use Power Only USB cable: You can purchase a power only USB charging cable on Amazon. This will only charge your phone and no data can transfer. It is safe. But since there is no data communication, the phone will by default charge at the slowest level to prevent damage to your phone.

To sum things up, the best protection against a compromised mobile device is awareness. Use the security features of your device and keep it updated with the latest updates from the manufacturer. And avoid using unknown charging stations and computers.

13 views0 comments