Never thought you’d have to worry about cyberattacks from just plugging in
your phone at a charging station? Here’s what to know about it and how to
protect your devices from this USB charger hack
When most people think of cyberattack methods and threats, they think of insecure network connections, phishing emails, and malicious websites. They don’t think of a cybercriminal hijacking a public USB power station. So, if you’re someone who typically whips out a USB charging cable at these public ports when your device battery is approaching 0%, you may want to reconsider. That’s because you may be leaving your phone or other mobile device open to a type of illegal hacking known as “juice jacking.”
Although the term sounds like some sort of energy drink marketed
to teenage boys, juice jacking is a serious cyber security threat for
businesses and consumers alike. Juice jacking USB ports is a tactic that
cybercriminals have been using for several years, although it’s still a
relatively unknown threat to cyber security, information security, and user privacy
as a whole. This may be, in part, because there aren’t many known cases of such
attacks occurring… yet.
But what exactly is juice jacking? How does it work and,
really, why should you care?
Let’s hash it out.
Juice Jacking USB Ports: Not Your Typical Cyberattack Channel
Juice jacking refers to a type of cyberattack in which they commandeer a charging port that doubles as a data connection. Essentially, cybercriminals hijack your power supply (hence “juice” jacking) channel and use it for their own nefarious deeds. They do this to install malware on a victim’s device and/or steal data. This process can include installing tracking programs and mirroring their screen to see (and record) any passwords and PIN codes they enter while the device is charging. Hence why juice jacking is also sometimes known as “juice filming” or “juice filming charging attacks.”
So, for example, this means that when one of your employees
innocently plugs their company-issued mobile device into a public USB port during
a layover at the airport, a cybercriminal could be nearby, waiting to use that
connection to launch an attack against that device.
In some ways, juice jacking is similar to credit card skimming scams (you know, the scams that have been all over the news that involve stealing debit and credit card information from ATMs, gas station pumps, etc.) because it involves a cybercriminal setting up a malicious device over a real charging station port or cable that appears to look like the real deal. Because you can frequently find these public USB charging ports in airports, hotels, and even some modern shopping centers, they make ideal targets for cybercriminals to use to their advantage.
Although this tactic is largely still theoretical in many
ways (because it’s not been studied in the wild), it’s a great opportunity for
hackers and bad news for the rest of us.
The Origins of Juice Jacking: How the USB Charger Hack Got Its Start at Def Con
In 2011, Aries Security researchers Brian Markus and Joseph Mlodzianowski, and Robert Rowley, built and placed a compromised free charging kiosk in a venue known as the Wall of Sheep at DefCon, the world’s largest hacking and security conference that’s held each year in Las Vegas. The Wall of Sheep (named such because they used to actually post people’s names on a wall) is a space that’s known for exposing individuals who demonstrate poor security hygiene to help educate on the dangers of engaging in insecure behaviors. It’s the wall of “honor” on which no IT or cybersecurity expert wants their name to be featured.
According to a 2011 article from Brian Krebs at krebsonsecurity.com, the researchers’ goal was to educate conference-goers about the dangers of charging their devices at random power stations. To make their station enticing, they equipped it with various types of charging cables that would work with the majority of mobile devices they’d expect to find at the conference.
Considering that this is in a room of hackers and security
experts, one would think that this would be a no-brainer. But they were
surprised (and disappointed) to find out that some people will stop at nothing to
ensure their devices have enough juice to get them through the day.
In his article, Krebs goes on to say: “In the three and a half
days of this year’s DefCon, at least 360 attendees plugged their smartphones
into the charging kiosk.”
Why You Should Care About Juice Jacking
Although industry experts agree that juice jacking isn’t necessarily a widespread threat, it’s still enough of a concern that the Los Angeles County District Attorney’s Office decided it was necessary to declare juice jacking as a security threat to travelers during the last holiday season.
Perhaps, part of the reason it’s not viewed as a major
mainstream threat within the cyber security community is because there really
aren’t any verified cases of juice jacking. Malwarebytes reports that “this attack method has not been documented in the wild, outside of a few unconfirmed reports on the east coast and
in the Washington, DC, area.”
Most people view public USB ports as convenient solutions
for dying mobile devices while on the go. And, in all reality, they are — but as
you’re learning, this convenience doesn’t come without risk.
Frankly, we’re not sharing this information to cause wide-spread panic or to make you paranoid. We’re not handing out tinfoil hats here, so there’s no reason to presume that all charging kiosks in public spaces are inherently malicious. We just want to inform you about the risks so you and your employees can make informed decisions about how and where to charge mobile devices. Personally, I always err on the side of caution and prescribe to the “better safe than sorry” mentality when it comes to protecting my devices and data.
Did You Know? There’s More Than One Type of Juice Jacking
Yeah, there are actually two types of juice jacking. Juice
jacking is a broad enough category that it doesn’t just involve the use of malicious
or compromised USB wall chargers for data theft. It also includes the use of
compromised smartphone charging cables.
So, basically, juice jacking attacks typically fall under
one of two categories:
- Data Theft: This type of juice jacking occurs
when victims plug their devices into compromised or fake charging stations
using their data-transmitting USB cables. This allows users to steal
information, including passwords and pins.
- Malicious Installations: This type of juice
jacking involves the victims using compromised mobile device accessories such
as charging cables (such as an O.MG cable, which has a hidden microchip inside
of a USB-C cable). Such a device looks like a regular lightning charging cable,
but it’s essentially a phone charger that steals your info. Hackers could
potentially use these compromised cables to transmit malicious payloads from
your device to a nearby device that they control that’s within Wi-Fi range.
What Manufacturers Are Doing to Fight USB Device-Related Threats
While it’s true that manufacturers like Apple and Microsoft
are continually trying to fix and patch vulnerabilities in their devices, they
aren’t aware of every potential exploit. That being said, Apple, for example,
now requires devices running iOS 11.4.1 or later versions to be unlocked before
they will recognize and use an accessory such as a charging account.
Apple’s iOS Security Guide update from May 2019 (for iOS
12.3) defines its USB restricted mode as aiming to do the following:
To improve security while maintaining usability, Touch ID, Face ID, or passcode entry is required to activate data connections via the Lightning, USB, or Smart Connector interface if no data connection has been established recently. This limits the attack surface against physically connected devices such as malicious chargers, while still enabling usage of other accessories within reasonable time constraints. If more than an hour has passed since the iOS device has locked or since an accessory’s data connection has been terminated, the device won’t allow any new data connections to be established until the device is unlocked. During this hour period, only data connections from accessories that have been previously connected to the device while in an unlocked state will be allowed. Attempts by an unknown accessory to open a data connection during this period will disable all accessory data connections over Lighting, USB, and Smart Connector until the device is unlocked again.”
How to Protect Your Organization’s Endpoint Devices Against Juice Jacking
So, if cybercriminals can potentially hijack USB charging
stations to carry out their attacks, what can you do to protect your organization’s
devices against these types of threats?
Train Employees to Recognize Threats (Like Juice Jacking) and Respond
While we’ve certainly preached about the importance of cyber
awareness training for employees, this is definitely an area that employees can
use training. Whether it’s educating them about why they shouldn’t plug
data-transmitting USB cables into public USB ports or informing them about why
they need to use a virtual private network (VPN) any time they’re connecting to
a non-work network, cyber awareness training is a valuable investment in the
defense of your organization.
If, for some reason, they still need to plug a USB device
into a public USB charging station:
- Use only USB devices from reputable, trusted suppliers.
- Avoid using free, promotional USB charging cables because they could be infected (according to a report in The New York Times).
- Don’t ever use plugs that were left plugged into public USB charging stations.
Also, ensure they understand the importance of selecting
“decline” when they’re asked whether to trust the connected device.
Assign Employees a Power Bank as a Backup Power Supply
Don’t want your employees to risk using a public USB
charging station? Give them an alternative by giving them a power bank to use
while out of the office. Although it’s true that power banks have limited
charging capabilities, they’re likely able to provide enough power to the
employee’s device to hold them over until they’re in a location that has a
traditional AC power wall charger.
Require Employees to Use USB “Condoms” or Power-Only USB Cables in Public
While the former may sound like we’re venturing into NSFW
territory, USB condoms are actually devices that can be used as a buffer
between your data charging cable and a public USB port. Essentially, they’re
data blockers. Much like how a traditional condom blocks other things, the
purpose of the USB condom is to block data from being transmitted between the cable
and the USB port.
When in Doubt, Go the AC Charging Route
Otherwise, another solution is to provide your employees
with “old school” AC adapters for their device or power-only USB cables. These
options allow users to only charge their devices using standard AC power
outlets or the freedom to continue using public USB ports but without the risk
of juice jacking or data hijacking.
Regardless of the term that you prefer using — juice
jacking, juice filming, etc. — this type of practice is a threat to individual
consumers and businesses alike as society becomes more dependent on mobile
devices. While it may not be as big or widespread as a threat as phishing and
ransomware attacks, it’s still something to be cognizant of.
As we all know, hackers are looking for new and creative
ways to infiltrate devices. Whether their goal is to steal their victims’
personal information or to gain access to their employers’ networks, juice
jacking is a threat that simply can’t be ignored. This is why we’re taking the
time to bring this threat to your attention. So not only you’re aware, but so
you can inform your organization’s leadership and employees as well.