Phone Security. PHOTO: Cybercrime Magazine.

Juice Jacking: Beware Of Rogue Power Sources

Don’t be tempted when your phone is down to 5 percent

David Braue

Melbourne, Australia – Apr. 7, 2021

If you had to list the potential cyber risks that may cross your mind while going about your daily business, the risk of getting compromised while charging your phone probably wouldn’t even make the top five.

But that, Steve Beatty argues, is exactly why you need to be particularly careful about where you plug in your phones and other devices — which can very well be compromised simply by plugging them into the wrong USB port.

“Juice jacking,” as it’s called, most often stems from rogue power points typically installed in public spaces where people may be quite casual about which power sources they tap.

A free USB port can be a tempting thing when your phone is down to 5 percent power — but times of desperation are exactly when you need to be doubly careful.

“If you go to an airport or hotel and plug into their USB charging port, the concern is that it’s not just electricity coming into and out of their ports,” Beatty — interim chair and a professor in the Department of Computer Sciences at the Metropolitan State University of Denver (MSU Denver) — told Cybercrime Magazine.

“It’s indeed possible that attacks are coming in and out of those USB charging ports,” he said, “and I don’t think we can just essentially ignore the fact that any time we plug our devices into a USB charger of essentially unknown provenance — we don’t know who manufactured it, who installed it, or who’s monitoring it — then all bets around cybersecurity are off.”

Cybercrime Radio: What you need to know about Juice Jacking

Cybersecurity expert advises not to use public power sources

Since it first came to public attention a decade ago, the storied history of juice jacking — which was proven possible by hackers who exploited early phones’ tendency to allow full data access to any computer they plugged into using USB — has expanded to include a number of proofs of concept, including a purpose-built cable enabling one Android phone to attack another via USB.

Another spinoff was “video jacking,” which was demonstrated at the 2016 Def Con conference and tapped phones’ built-in HDMI-USB phone mirroring to allow attackers to view and record the screens of users while they are charging — meaning they could steal lock-screen codes, passwords, personal information, and other information whenever a victim’s phone was connected to the booth.

“I implore you to think twice before charging your device directly at a USB wall jack of unknown origins,” security researcher and juice-jacking proof-of-concept developer Robert Lei explains in his potted history of the method — which was single-handedly responsible for many of today’s phones’ trusted-access controls.

“Even if there is a pop-up on the screen asking whether users can trust the device they’ve plugged into,” Beatty said, “most people — maybe naively — are just going to say ‘sure, it’s just a wall charger and I trust that I’m going to get charged from this’… and all of a sudden, all of their PDFs are being sent to a remote host.”

Pushing the boundaries — and closing the gap

For Beatty — and the more than 200 students participating in MSU Denver’s now three-year-old undergraduate and postgraduate curricula — juice jacking is one of many topics the students have engaged with as they tap the educational and career-development opportunities emerging as MSU Denver partners across Colorado’s diverse defense and security communities, enabling “boots on the ground” internships.

“We’re going to have people coming out of our programs who are really well-trained around security analysis, threat analysis, and those sorts of things,” Beatty said, “and it’s going to be awesome for the students to be able to get their hands on some training.”

Students have access to a range of high-grade cybersecurity tools — including a purpose-built security operations center (SOC) — that help them test all kinds of network compromises and potentially dangerous use-cases.

That includes juice jacking, which for cybercriminals is a potentially intimate interface into a phone that could be filled with private photos, sensitive government or corporate information, or even seemingly mundane information — such as the movements of a company executive — that could help tweak a business email compromise (BEC) attack for maximum effectiveness.

Anticipating these attacks in an academic setting provides an opportunity to think out attacks — and, in the process, consider how cybersecurity leaders might defend against them.

A real-world compromise would, for example, likely require the installers of hotel and airport charging ports to be compromised before they set up the devices, Beatty said, “or somebody can come along behind them and reinstall the nefarious charging port. … It’s about how well protected those devices are” and how well they can be monitored for compromise once in place.

With ready access to AC power, developers of juice-jacking devices can incorporate power-draining technologies that might prove problematic for other portable, battery-powered devices.

Some proofs of concept have embedded tiny computers and communications devices inside the charging “wall warts,” allowing attackers to collect data and surreptitiously collect it from the device without having to physically interact with it.

Desktop users already have some tools capable of detecting such compromises, although Beatty conceded that tools like Little Snitch — which allow users to monitor every device their computer is connecting to — “are much more difficult to do on our mobile devices, and the user interface wouldn’t make a lot of sense to most people.”

“We just don’t have that kind of data loss prevention yet in most of our mobile devices,” he added, “but that will be a positive thing when we do.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.