"Juice Jacking"--Potential for Data Theft Via Free Public Chargers

P

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Content source
https://abc7news.com/juice-jacking-hacked-usb-charging-station-compromised-charger-iphone/13109738/
Heard about this on the local NYC news this morning and this is actually the first time I've heard this term. Probably most here are aware of the potential risks but anyway.

The @FBIDenver Twitter account tweeted last Thursday that people should avoid free public charging stations at locations like "airports, hotels, or shopping centers" because of this cybersecurity risk. The alliterative term "juice jacking" refers to "bad actors" who have hacked or otherwise altered public USB ports so that when an unsuspecting user plugs their device in to charge, it can be infiltrated with malware or monitoring software.
Click to expand...

The Denver FBI said their warning was merely a public service announcement and was not prompted by any particular recent incident. "Juice jacking" is a term that's been used for decades, with regular warnings making the rounds. The Federal Communications Commission has a dedicated page to the scam, noting that "malware installed through a dirty USB port can lock a device or export personal data and passwords directly to the perpetrator."
Click to expand...
 
  • Like
  • +Reputation
Reactions: Nevi, upnorth, Trooper and 6 others
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,034
Also, make sure you are not offered USB cables for charging. They could have been modified too. Using modified cables is known as USBHarpoon.

Use USB Data Blocker to prevent both.

Read my write-up and protection of USB ports/devices here

malwaretips.com

Guide | How To - A Comprehensive Protection of USB Ports/Devices

29 different types of USB attacks are listed below, even one type which can break out of a virtual machine Here's a List of 29 Different Types of USB Attacks - Guardian360 In short, no USB device inserted means you are protected, right? Wrong! MouseJack is a class of vulnerabilities that...
malwaretips.com malwaretips.com
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, [correlate], Trooper and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,617
Be Skeptical of FBI Warnings About Phone Chargers
Every few years, an unsourced report circulates that “the FBI says plugging into public charging kiosks is dangerous.” Here’s why you should ignore the freakout and install software updates regularly.

Your phone is designed to communicate safely with lots of things – chargers , web sites, Bluetooth devices such as earbuds or speakers, Wi-Fi, and even other phones, for instance when sending and receiving text messages. If doing any of these normal phone things can give your phone malware, that is a security vulnerability (which is a type of bug).

Security vulnerabilities happen with some frequency. That is why your phone prompts you to update your software so often – the makers of its software find out about bugs and fix them.

So, when you hear a report that public chargers are giving people malware, you should ask “what is the vulnerability being used, and when will it be fixed?” as well as “how widespread is the problem? How many people are affected?” Unfortunately, the periodic reports of “juice jacking” never have such details, usually because they are recycled from earlier reports which themselves lack details.

The most recent news reports reference a tweet from the FBI Denver field office. According to reporter Dan Goodin’s conversation with an FBI spokesperson, the field office relied on an article the FCC published in 2019 warning about USB charging stations. The only source for that article was a warning from the Los Angeles County District Attorney’s Office that did not itself allege any specific bug or specific instances of charging stations being used for attacks. The FCC later quietly removed the sourcing from its article, allowing itself to be incorrectly treated as a primary source for juice jacking claims.

While the video from the LA County D.A. doesn’t mention it, the ultimate source for the term “juice jacking” is a Brian Krebs article from 2011 reporting on a vulnerability demonstrated at DEFCON that year. As you can imagine, phone security has changed dramatically since 2011. And so far there have been no reports of widespread exploitation of USB vulnerabilities in the wild.
Click to expand...
www.eff.org

Be Skeptical of FBI Warnings About Phone Chargers

Every few years, an unsourced report circulates that “the FBI says plugging into public charging kiosks is dangerous.” Here’s why you should ignore the freakout and install software updates regularly. Your phone is designed to communicate safely with lots of things – chargers , web sites...
www.eff.org www.eff.org
 
  • Like
  • +Reputation
Reactions: vtqhtr413, plat, Nevi and 4 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459

2019
Click to expand...

Make no mistake, we’d advise you to use your own charger whenever you can, and not to rely on unknown USB connectors or cables, not least because you have no idea how safe or reliable the voltage converter in the charging circuit might be. You don’t know whether you are going to get a well-regulated 5V DC, or a voltage spike that harms your device.

A destructive voltage could arrive by accident, for example due to a cheap-and-cheerful, non-safety-compliant charging circuit that saved a few cents on manufacturing costs by illegally failing to follow proper standards for keeping the mains parts and the low-voltage parts of the circuitry apart. Or a rogue voltage spike could arrive on purpose: long-term Naked Security readers will remember a device that looked like a USB storage stick but was dubbed the USB Killer, which we wrote about back in 2017:
Click to expand...
nakedsecurity.sophos.com

FBI and FCC warn about “Juicejacking” – but just how useful is their advice?

USB charging stations – can you trust them? What are the real risks, and how can you keep your data safe on the road?
nakedsecurity.sophos.com nakedsecurity.sophos.com
 
  • Like
  • +Reputation
Reactions: vtqhtr413, plat, [correlate] and 2 others
P

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Looks like the original article in post #1 is a bit Fud-dish? Ooo la-la! Well, here's an addendum. So should one still be concerned? Ars says "no" with some exceptions, like if one is targeted by a state actor.

“At a high level, if nobody can point to a real-world example of it actually happening in public spaces, then it’s not something that is worth stressing about for the general public,” Mike Grover, a researcher who designs offensive hacking tools and does offensive hacking research for large companies, said in an interview. “Instead, it points to viability only for targeted situations. People at risk of that, hopefully, have better defenses than a nebulous warning.”
Click to expand...

arstechnica.com

Those scary warnings of juice jacking in airports and hotels? They’re mostly nonsense

Juice jacking attacks on mobile phones are nonexistent. So why are we so afraid?
arstechnica.com arstechnica.com
 
  • Like
  • Applause
Reactions: Gandalf_The_Grey, vtqhtr413 and Jonny Quest
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Medtronic MiniMed 600 Series Insulin Pump System Potential Cybersecurity Risk
Replies
0
Views
497
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
H
    • +Reputation
    • Like
    • Thanks
Guide | How To A Comprehensive Protection of USB Ports/Devices
Replies
8
Views
2,502
Guides - Privacy & Security Tips
simmerskool
simmerskool
silversurfer
    • +Reputation
    • Like
USB-C to become charging standard for most electronics in EU by 2024
Replies
0
Views
537
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top