Here’s another risk to add to the many issues that business travelers and their organizations must address: juice jacking — a type of cyberattack that involves malicious wall chargers or compromised mobile accessories.
Public USB power charging stations are now ubiquitous in the spaces business travelers frequent, including airports, hotels and other points of transit or accommodation. That’s why every business traveler and organization needs to understand that these resources could be hijacked by cybercriminals as a conduit for delivering malware or stealing sensitive data.
What Is Juice Jacking?
It seems like everybody is suddenly talking about juice jacking, which is likely due in large part to the Los Angeles County District Attorney’s Office declaring that it’s a real threat in a recent security alert. But what is juice jacking, exactly?
USB charging ports in airports, hotels and elsewhere can be replaced with modified versions capable of delivering malware to devices once they’re plugged in. An even easier method is modifying an AC adaptor or even a charging cable to do the same thing. This works, of course, because the USB standard is designed to convey both electricity and data. At public charging stations, people are thinking of using USB only for charging, but cybercriminals intend to use it to steal data or for malware delivery.
The History of Juice Jacking
The data security world first heard about the threat of juice jacking at DefCon in 2011. Researchers from Aires Security set up a public charging kiosk at the event’s “Wall of Sheep” area as part of an experiment about the viability of juice jacking. The kiosk screen advertised a free cell phone charging kiosk, but when users plugged in their devices, the screen changed to a warning about the possibility of a malware payload from public charging stations.
A year later, security researcher Kyle Osborn described an attack called Phone to Phone Android Debug Bridge (P2P-ADB), which used USB OTG (on-the-go) features. That attack involved a cable called the Kos Cable that could enable one Android phone to attack a second Android phone via USB. Specifically, the attack would unlock the victim’s phone and steal authentication keys that provided access to their Google account.
Juice jacking reared its ugly head again at the Black Hat conference in 2013, where a proof-of-concept called Mactans was introduced by Georgia Tech researchers. Mactans used electronics that could fit into a USB wall charger or AC adaptor to deliver iOS malware in 80 seconds. The attacked iOS device would appear normal, and a Trojan would be launched next time the user opened Facebook. The researchers used a low-cost BeagleBoard to power the device.
In 2015, a security researcher named Samy Kamkar introduced an Arduino-based USB AC adaptor called KeySweeper, which could capture (as well as decrypt and record) all keystrokes from any Microsoft wireless keyboard within range.
One year after that, another proof-of-concept hijacked the ability of smartphones to mirror their displays onto another monitor, thereby creating a new security buzzword: “video jacking.” Demonstrated at DefCon, the video jacking attack, which was also developed by Aries Security, involved a USB charging cable that would record and send video footage from a smartphone screen once a connection with the phone was established. This would enable the theft of any personal or authentication data that might appear onscreen. This attack method could affect anyone using an HDMI-ready smartphone.
How Big Is the Threat, Really?
The Federal Bureau of Investigation (FBI), the LA County District Attorney’s Office and even the Better Business Bureau (BBB) have warned the public about the dangers of juice jacking. But some security experts dismiss the threat, claiming that all the news around it comes from ethical researchers demonstrating proof-of-concept hacks and that no known instances of juice jacking have appeared in the wild. Also, modern smartphones now alert users when data is being transferred.
Even so, every threat is theoretical until it isn’t, and when we find out about a new attack in the wild, the data will already have been stolen.
If the remedies for protecting against juice jacking were difficult, complicated or expensive, then these pains would have to be weighed against the low probability of an attack, but the remedies are easy and cheap. It’s also worth pointing out that cybercriminals are increasingly focusing their efforts on attacks against business travelers.
How to Prevent Juice Jacking
Here are some best practices for avoiding juice jacking attacks, which should be part of your ongoing security training programs:
- Don’t use public charging stations that offer USB ports.
- Use your own AC charging adaptor and your own cables to plug into electrical outlets.
- Carry a high-quality, certified mobile battery so you don’t have to rely on power sources of opportunity.
- Don’t use somebody else’s PC for charging your mobile device.
- Use a USB data blocker dongle, which is a product that disables data transfer for USB cables.
A Few Finer Points on the Art of Defeating Juice Jacking
Preventing juice jacking isn’t just about juice jacking per se; it’s also about training executives and employees to categorize accessories like dongles and other devices into one of two categories — able to convey data or unable to convey data. Associates must be wary of anything that fits into the second category. If it can transfer data, it’s usable for malware delivery. Good practices around charging equipment are now a critical element of a larger, integrated approach to cybersecurity.
One of the arguments against juice jacking jitters is that there are easier ways to steal data. For example, simply deploying a honeypot Wi-Fi hot spot at the airport is an easy and common way to attack mobile devices in the area. But certain targets, such as executives, government or military officials, or anyone with high-value data, can be harder to attack using more common methods. A motivated attacker might deploy multiple attack vectors, and this is especially true with regard to industrial espionage attacks. At a target-rich conference, for example, it would be easy to install modified USB charging ports in hotel rooms.
Yet another method for prevention is using a data blocker — a so-called “USB condom” — though this avenue is slightly inconvenient. You have to buy it, carry it, remember to use it and then suffer through the slower charging times these devices typically cause. Also, these data blockers are generally available for USB 2 connections but usually don’t work for faster USB 3 connections. The dongles typically cost around $10, so it makes sense to buy one and carry it with you in case you ever find yourself in desperate need of power from either a public charging station or a potentially infected computer.
One more point to keep in mind is that many anti-juice jacking methods involve using authorized cables and adaptors. Even if you or your organization isn’t worried about this specific threat, it’s still a good idea to use good charging practices. Cheap, unauthorized or knock-off cables can reduce battery performance and even put devices at risk of being damaged. Bad cables and adaptors also represent a fire risk, so using known, reputable charging cables and adaptors is always a good practice anyway.
The bottom line is that juice jacking is either a rare or currently unpracticed attack that’s brimming with potential for cybercriminals and spies. Because the remedies are so easy and inexpensive and tend to offer other benefits as well, it makes sense to integrate anti-juice jacking measures into your organization’s overall cybersecurity plans.