Juice jacking

{{Short description|Mobile security risk}}

File:DVERE MHD 028.jpg

File:Alaska Airlines International Power Outlets.jpg

File:Leviton NEMA 5-15R with USB.jpeg

Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data.{{cite news |last=Bernard |first=Francisco |url=https://www.kcci.com/article/data-blocker-juice-jacking/60568770 |title=How this tiny gadget can protect your data from getting stolen |work=KCCI |location=Des Moines |date=April 22, 2024 |access-date=April 22, 2024 |archive-url=https://web.archive.org/web/20240422212717/https://www.kcci.com/article/data-blocker-juice-jacking/60568770 |archive-date=April 22, 2024}} {{As of |April 2023}} there have been no credible reported cases of juice jacking outside of research efforts.{{Cite web |last=Goodin |first=Dan |date=2023-05-01 |title=Those scary warnings of juice jacking in airports and hotels? They're nonsense |url=https://arstechnica.com/information-technology/2023/05/fearmongering-over-public-charging-stations-needs-to-stop-heres-why/ |access-date=2023-05-01 |website=Ars Technica |language=en-us}}

Published research

The Wall of Sheep, an event at Defcon, has set up and allowed public access to an informational juice jacking kiosk each year at Defcon since 2011. Their intent is to bring awareness of this attack to the general public. Each of the informational juice jacking kiosks set up at the Wall of Sheep village have included a hidden CPU, which is used in some way to notify the user that they should not plug their devices in to public charging kiosks. The first informational juice jacking kiosk included a screen that would change from "Free charging station" to a warning message that the user "should not trust public charging stations with their devices".{{citation |website=Wall of Sheep |title=Juice jacking|url=https://www.wallofsheep.com/pages/juice}} One of the researchers who designed the charging station for the Wall of Sheep has given public presentations showcasing more malicious acts that could be taken via the kiosk, such as data theft, device tracking and information on compromising existing charging kiosks.{{citation |first=Robert |last=Rowley |title=Juice jacking 101 |date=29 June 2013 |url=https://www.slideshare.net/RobertRowley/juice-jacking-101-23642005 |via=SlideShare}}

Security researcher Kyle Osborn released an attack framework called P2P-ADB in 2012, which utilized USB On-The-Go to connect an attacker's phone to a target victim's device. This framework included examples and proof of concepts that would allow attackers to unlock locked phones, steal data from a phone including authentication keys granting the attacker access to the target device owner's Google Account.{{citation |first=Kyle |last=Osborn |title=P2P-ADB |url=https://github.com/kosborn/p2p-adb/ |website=Github}}

Security researcher graduates and students from Georgia Tech released a proof-of-concept malicious tool "Mactans" that utilized the USB charging port on Apple mobile devices at the 2013 Blackhat USA security briefings. They utilized inexpensive hardware components to construct a small sized malicious wall charger that could infect an iPhone with the then-current version of iOS with malicious software while it was being charged. The software could defeat any security measures built into iOS and mask itself in the same way Apple masks background processes in iOS.{{citation |author=Billy Lau |display-authors=etal |title=Mactans: Injecting malware into iOS devices via malicious chargers |place=Black Hat Briefings |year=2013 |url=https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf }}

Security researchers Karsten Nohl and Jakob Lell from SRLabs published their research on BadUSB during the 2014 Blackhat USA security briefings.{{citation |title=BadUSB - On Accessories that Turn Evil |url=https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil |website=Black Hat Briefings USA 2014}}{{citation |first1=Karsten |last1=Nohl |first2=Jakob |last2=Lell |title=BadUSB - On Accessories that Turn Evil |date=11 August 2014 |place=Blackhat USA 2014 |url=https://www.youtube.com/watch?v=nuruzFqMgIw |via=YouTube}} Their presentation on this attack mentions that a cellphone or tablet device charging on an infected computer would be one of the simplest method of propagating the BadUSB vulnerability. They include example malicious firmware code that would infect Android devices with BadUSB.{{citation |title=Turning USB peripherals into BadUSB |url=https://srlabs.de/badusb/|website=SRLabs.de |access-date=2015-09-28|archive-date=2016-04-18 |archive-url=https://web.archive.org/web/20160418134155/https://srlabs.de/badusb/ |url-status=dead}}

Researchers at Aries Security and the Wall of Sheep later revisited the juice jacking concept in 2016. They set up a "Video Jacking" charging station, able to record the mirrored screen from phones plugged into their malicious charging station. Affected devices at the time included Android devices supporting SlimPort or MHL protocols over USB, as well as the most recent iPhone using an Apple Lightning charging cable connector.{{citation |author=Brian Krebs |author-link=Brian Krebs |website=Krebs on Security |title=Road Warriors: Beware of 'Video Jacking' |url=https://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/ |date=2016-08-11}}

Researchers at Symantec disclosed their findings on an attack they called "Trustjacking"{{citation |first=Roy |last=Iarchy |title=iOS Trustjacking – A Dangerous New iOS Vulnerability |url=https://symantec-enterprise-blogs.security.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability |date=2018-04-18}} during the 2018 RSA Conference. The researchers identified that when a user approves access for a computer on an iOS device over USB, that this trusted access level is also applied to the device's iTunes API, which is accessible over Wi-Fi. This would allow attackers access to an iOS device even after the user had unplugged the device from a malicious or infected USB-based charge source.

A researcher who goes by _MG_ released a USB cable implant they called the "O.MG Cable".{{citation |title=O.MG Cable |work=MG |url=https://mg.lol/blog/omg-cable/ |date=2019-12-31}} The O.MG Cable has a microcontroller embedded within the cable and a visual inspection would likely not detect a difference between the O.MG cable and a normal charging cable. The O.MG Cable allows attackers or red team penetration testers to remotely issue commands to the cable over Wi-Fi, and have those commands run on the host computer with the O.MG cable plugged in to it.

Mitigation

File:Condom USB de PortaPow.jpg

Already in 2013, both iOS and Android devices got updates to mitigate the threat.

Apple's iOS has taken multiple security measures to reduce the attack surface over USB including no longer allowing the device to automatically mount as a hard drive when plugged in over USB, as well as release security patches for vulnerabilities such as those exploited by Mactans.

Android devices commonly prompt the user before allowing the device to be mounted as a hard drive when plugged in over USB. In release 4.2.2, Android implemented a whitelist verification step to prevent attackers from accessing the Android Debug Bridge without authorization.{{citation |url=http://www.androidpolice.com/2013/02/12/new-android-4-2-2-feature-usb-debug-whitelist-prevents-adb-savvy-thieves-from-stealing-your-data-in-some-situations/|website=Android Police |title=New Android 4.2.2 Feature: USB Debug Whitelist Prevents ADB-Savvy Thieves From Stealing Your Data (In Some Situations) |date=2013-02-12}}

= Mitigation by hardware =

Juice jacking is not possible if a device is charged via a trusted AC adapter or battery backup device, or if using a USB cable with only power wires. For USB cables with data wires, a USB data blocker (sometimes called a USB condom){{Cite web |title='USB condom' to keep you safe while travelling |url=https://timesofindia.indiatimes.com/gadgets-news/usb-condom-to-keep-you-safe-while-travelling/articleshow/72335421.cms |date=2019-12-02 |access-date=2021-11-03 |website=The Times of India |language=en}} can be connected between device and charging port to disallow a data connection.{{Cite web |title=How A Data Blocker Can Protect Your Smartphone |url=https://www.gizmodo.com.au/2021/01/what-is-a-data-blocker-do-you-need-one-for-your-phone/ |date=2021-01-11 |access-date=2021-11-03 |website=Gizmodo Australia |language=en-AU |archive-url=https://web.archive.org/web/20211103094055/https://www.gizmodo.com.au/2021/01/what-is-a-data-blocker-do-you-need-one-for-your-phone/ |archive-date=2021-11-03}}

References