Juice jacking

The Wall of Sheep, an event at Defcon has set up and allowed public access to an informational juice jacking kiosk each year at DefCon since 2011. Their intent is to bring awareness of this attack to the general public. Each of the informational juice jacking kiosks set up at the Wall of Sheep village have included a hidden CPU which is used in some way to notify the user that they should not plug their devices in to public charging kiosks. The first informational juice jacking kiosk included a screen which would change from "Free charging station" to a warning message that the user "should not trust public charging stations with their devices".[1] One of the researchers who designed the charging station for the Wall of Sheep has given public presentations which showcase more malicious acts which could be taken via the kiosk, such as data theft, device tracking and information on compromising existing charging kiosks.[2]

Security researcher Kyle Osborn released an attack framework called P2P-ADB in 2012 which utilized USB On-The-Go to connect an attacker's phone to a target victim's device. This framework included examples and proof of concepts which would allow attackers to unlock locked phones, steal data from a phone including authentication keys granting the attacker access to the target device owner's Google account.[3]

Security researcher graduates and students from the Georgia Institute of Technology (Georgia Tech) released a proof of concept malicious tool "Mactans" which utilized the USB charging port on Apple mobile devices at the 2013 Blackhat USA security briefings. They utilized inexpensive hardware components to construct a small sized malicious wall charger which could infect an iPhone with the then-current version of iOS with malicious software while it was being charged. The software could defeat any security measures built into iOS and mask itself in the same way Apple masks background processes in iOS.[4]

Security researchers Karsten Nohl and Jakob Lell from SRLabs published their research on BadUSB during the 2014 Blackhat USA security briefings.[5][6] Their presentation on this attack mentions that a cellphone or tablet device charging on an infected computer would be one of the simplest method of propagating the BadUSB vulnerability. They include example malicious firmware code that would infect Android devices with BadUSB.[7]

Researchers at Aries Security and the Wall of Sheep later revisited the juice jacking concept in 2016. They set up a "Video Jacking" charging station which was able to record the mirrored screen from phones plugged into their malicious charging station. Affected devices at the time included Android devices supporting SlimPort or MHL protocols over USB, as well as the most recent iPhone using a lightning charge cable connector.[8]

Researchers at Symantec disclosed their findings on an attack they dubbed "Trustjacking"[9] during the 2018 RSA Conference. The researchers identified that when a user approves access for a computer on an iOS device over USB, that this trusted access level is also applied to the devices's iTunes API which is accessible over wifi. This would allow attackers access to an iOS device even after the user has unplugged the device from a malicious or infected USB based charge source.

A researcher who goes by _MG_ released a USB cable implant they dubbed the "O.MG Cable". [10] The O.MG Cable has a micro-controller embedded within the cable itself, a visual inspection would likely not detect a difference between the O.MG cable and a normal charging cable. The O.MG Cable allows attackers or red team penetration testers to remotely issue commands to the cable over wifi, and have those commands be ran on the host computer with the O.MG cable plugged in to it.

Brian Krebs was the first to report on this attack and coined the term "juice jacking." After seeing the informational cell phone charging kiosk set up in the Wall of Sheep at DefCon 19 in August 2011, he wrote the first article on his security journalism site Krebs on Security.[11] The Wall of Sheep researchers—including Brian Markus, Joseph Mlodzianowski, and Robert Rowley—designed the kiosk as an information tool to bring awareness to the potential attack vector, and they have discussed but not released tools publicly which perform malicious actions on the charging devices.[2]

An episode of the hacking series Hak5 released in September 2012 showcased a number of attacks which can be utilized using an attack framework named P2P-ADB released by Kyle Osborn. The P2P-ADB attack framework discussed utilized one phone to attack another phone over a USB on the Go connection.[12]

In late 2012, a document was released by the NSA warning government employees who travel about the threat of juice jacking and reminding the reader that during overseas travel only to use their personal power charging cables and not to charge in public kiosks or by utilizing other people's computers.[13] [14]

The Android Hackers Handbook released in March 2014 has dedicated sections discussing both juice jacking and the ADB-P2P framework.[15]

Juice jacking was the central focus on an episode of CSI: Cyber. Season 1: Episode 9, "L0M1S" aired in April 2015[16]

In November 2019, the Los Angeles Deputy District Attorney issued a public service announcement warning about the risks of juice jacking during the upcoming holiday travel season.[17] This PSA came under scrutiny due to the fact no public cases have come to light related to malicious charging kiosks found in public, nor any criminal cases being tried under the Los Angeles District Attorney's purview at the time of the PSA.[18]

A USB condom.

Apple's iOS has taken multiple security measures to reduce the attack surface over USB including no longer allowing the device to automatically mount as a hard drive when plugged in over USB, as well as release security patches for vulnerabilities such as those exploited by Mactans.[4]

Android devices commonly prompt the user before allowing the device to be mounted as a hard drive when plugged in over USB. Since release 4.2.2, Android has implemented a whitelist verification step to prevent attackers from accessing the Android Debug Bridge without authorization.[19]

Juice jacking is not possible if a device is charged via the AC adapter shipped with the device, a battery backup device, or by utilizing a USB cable with only power wires and no data wires present. A tool originally called the USB Condom was released in 2012 with the sole purpose of disallowing data connections to be passed over a USB cable, there are many vendors now selling USB adapters which remove the data pins.

You may have noticed that, when you charge your phone through the USB port of your computer or laptop, it also opens up the option to transfer files back and forth between the two systems. That is because a USB port is not merely a power socket. A USB connector has five pins. And only one is needed to charge the phone. Two of the others are by default used for data transfer.

Unless you have made the changes in your phone’s settings, the data transfer mode is disabled by default. The connection is only visible on the power supply end, which typically in the case of juice jacking is not the mobile’s owner. That means, anytime a user attaches a USB port to charge, they could open up a pathway to transfer data between devices. A capability threat attacker could abuse this to steal data or install malware.[20]

There are two ways by which juice jacking works:

1. Data theft: While charging, the data is stolen from the connected device.
2. Malware installation: As soon as the connection is established, malware is sent to the connected device. The malware will remain on the device until it is identified and then removed by the user.

1. Data Theft[22]

In this first type of juice-jacking, the cybercriminals could steal any of your data from mobile devices connected to the charging stations. But there won’t be a hacker sitting behind the authority of the kiosk.

Data can be looted fully automated. A cybercriminal could breach an unsecured charging station using malware, and then put an additional payload that may steal your information from the connected devices. Crawlers may search your phone for your account details, banking-related stuff or credit/debit card data in seconds.

Cybercriminals do not necessarily target a specific audience for data theft. A threat actor would be extremely happy to fool a potential executive or a government personnel target into using a charging station. However, the odds of that happening are rather slim. Instead, they know that our mobile devices store a lot of useful information, which can be sold on the dark web for profit.

2. Malware installation

The second type of juice-jacking attack involves installing malware onto the user’s device through the same USB connection. In this, data theft isn’t the end goal. If threat actors were to steal data through malware installed on a mobile device, it won’t happen upon USB connection but takes place over time. By this way, hackers could gather more and varied data, such as user’s GPS locations, social media interactions, images and videos, call log details, and some other ongoing processes as well.[2]

There are many categories of malware that cybercriminals could install on your device through juice jacking, including adware, spyware, crypto-miners, ransomware, or Trojans. Android malware today is as versatile as malware aimed at Windows systems. Cryptominers mine a device’s CPU or GPU for cryptocurrency hacking and drain its battery. The ransomware freezes devices and demands a ransom. Spyware allows long-term surveying and keeps track of the target. Whereas, the Trojans hide in the background and infect several files at their will.

• Never use a free USB port or charging cable. Carry your charging adapter and cable whenever you’re travelling. This would save you from being at the disposal of crackers at the public charging stations.

• It is advisable to invest in a power bank that can be used in case you can't find an empty wall socket.

• If you insist on charging your device via a USB port, it is recommended you should purchase “USB condoms”. They provide an extra layer of security and protection between the port and the mobile device.
• Switch your phone off if you are using a charger/adapter that is not yours, especially in public places. This allows the power to travel to the phone without having any data transit taking place. There is a one way flow hence no data flows out of the device.
• Use Charge Only USB cables in public places. The charge only cables only charge a device and do not allow data transfers. It is a two conductor cable, hence stops malicious people from juice jacking .
• Do not accept the request to allow the cable to be used for data transfer. In case only a data cable is accessible, 'cancel' the request to transfer data hence blocking the data flow and allowing it to only charge.