FBI and FCC warn about “Juicejacking” – but just how useful is their advice?

Security

If you’d never heard the cybersecurity jargon word “juicejacking” until the last few days (or, indeed, if you’d never heard it at all until you opened this article), don’t get into a panic about it.

You’re not out of touch.

Here at Naked Security, we knew what it meant, not so much because it’s a clear and public danger, but that we remembered the word from a while ago… close to 12 years ago, in fact, when we first wrote up a series of tips about it:

Back in 2011, the term was (as far as we can tell) brand new, written variously as juice jacking, juice-jacking, and, correctly, in our opinion, simply as juicejacking, and was coined to describe a cyberattack technique that had just been demonstrated at the Black Hat 2011 conference in Las Vegas.

Juicejacking explained

The idea is simple: people on the road, especially at airports, where their own phone charger is either squashed away deep in their carry-on luggage and too troublesome to extract, or packed into the cargo hold of a plane where it cant’t be accessed, often get struck by charge anxiety.

Phone charge anxiety, which first became a thing in the 1990s and 2000s, is the equivalent of electric vehicle range anxiety today, where you can’t resist squeezing in just a bit more juice right now, even if you’ve only got a few minutes to spare, in case you hit a snag later on in your journey.

But phones charge over USB cables, which are specifically designed so they can carry both power and data.

So, if you plug your phone into a USB outlet that’s provided by someone else, how can you be sure that it’s only providing charging power, and not secretly trying to negotiate a data connection with your device at the same time?

What’s if there’s a computer at the other end that’s not only supplying 5 volts DC, but also sneakily trying to interact with your phone behind your back?

The simple answer is that you can’t be sure, especially if its 2011, and you’re at the Black Hat conference attending a talk entitled Mactans: Injecting malware into iOS devices via malicious chargers.

The word Mactans was meant to be a BWAIN, or Bug With An Impressive Name (it’s derived from latrodectus mactans, the small but toxic black widow spider), but “juicejacking” was the nickname that stuck.

Interestingly, Apple responded to the juicejacking demo with a simple but effective change in iOS, which is pretty close to how iOS reacts today when it’s hooked up over USB to an as-yet-unknown device:

“Trust-or-not” popup introduced in iOS 7, following a public demo of juicejacking.

Android, too, doesn’t allow previously unseen computers to exchange files with your phone until you have tapped in your approval on your own phone, after unlocking it.

Is juicejacking still a thing?

In theory, then, you can’t easily get juicejacked any more, because both Apple and Google have adopted defaults that take the element of surprise out of the equation.

You could get tricked, or suckered, or cajoled, or whatever, into agreeing to trust a device you later wish you hadn’t…

…but, in theory at least, data grabbing can’t happen behind your back without you first seeing a visible request, and then replying to it yourself by tapping a button or choosing a menu option to enable it.

We were therefore a bit surprised to see both the US FCC (the Federal Communications Commission) and the FBI (the Federal Bureau of Investigation) publicly warning people in the last few days about the risks of juicejacking.

In the words of the FCC:

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found in airports and hotel lobbies, might have unfortunate consequences. You could become a victim of “juice jacking,” yet another cyber-theft tactic.

Cybersecurity experts warn that bad actors can load malware onto public USB charging stations to maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors.

And according to the FBI in Denver, Colorado:

Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.

How safe is the power supply?

Make no mistake, we’d advise you to use your own charger whenever you can, and not to rely on unknown USB connectors or cables, not least because you have no idea how safe or reliable the voltage converter in the charging circuit might be.

You don’t know whether you are going to get a well-regulated 5V DC, or a voltage spike that harms your device.

A destructive voltage could arrive by accident, for example due to a cheap-and-cheerful, non-safety-compliant charging circuit that saved a few cents on manufacturing costs by illegally failing to follow proper standards for keeping the mains parts and the low-voltage parts of the circuitry apart.

Or a rogue voltage spike could arrive on purpose: long-term Naked Security readers will remember a device that looked like a USB storage stick but was dubbed the USB Killer, which we wrote about back in 2017:

By using the modest USB voltage and current to charge a bank of capacitors hidden inside the device, it quickly reached the point at which it could release a 240V spike back into your laptop or phone, probably frying it (and perhaps giving you a nasty shock if you were holding or touching it at the time).

How safe is your data?

But what about the risks of getting your data slurped surreptitiously by a charger that also acted as a host computer and tried to take over control of your device without permission?

Do the security improvements introduced in the wake of the Mactans juicejacking tool back in 2011 still hold up?

We think they do, based on plugging an iPhone (iOS 16) and a Google Pixel (Android 13) into a Mac (macOS 13 Ventura) and a Windows 11 laptop (2022H2 build).

Firstly, neither phone would connect automatically to macOS or Windows when plugged in for the first time, whether locked or unlocked.

When plugging the iPhone into Windows 11, we were asked to approve the connection every time before we could view content via the laptop, which required the phone to be unlocked to get at the approval popup:

Popup whenever we plugged the iPhone into a Windows 11 laptop.

Plugging the iPhone into our Mac for the first time required us to agree to trust the computer at the other end, which obviously required unlocking the phone (though once we’d agreed to trust the Mac, the phone would immediately show up in the Mac’s Finder app when connected in future, even if it was locked at the time):

Modern “trust” popup when our Mac first met our iPhone.

Our Google phone needed to be told to switch its USB connection out of No data mode every time we plugged it in, which meant opening the Settings app, which required the device to be unlocked first:

Google Android phone after connection to Windows 11 or macOS 13.

The host computers could see that the phones were connected whenever they were plugged in, thus giving them access to the name of the device and various hardware identifiers, which is a small amount of data leakage you should be aware of, but the data on the phone itself was apparently off limits.

Our Google phone behaved the same way when plugged in for the second, third or subsequent time, identifying that there was a device connected, but automatically setting it into No data mode as shown above, making your files invisible by default both to macOS and to Windows.

Untrusting computers on your iPhone

By the way, one annoying misfeature of iOS (we consider it a bug, but that is an opinion rather than a fact) is there is no menu in the iOS Settings app where you can view a list of computers you’ve previously trusted, and revoke trust for individual devices.

You’re expected to remember which computers you’ve trusted, and you can only revoke that trust in an all-or-nothing way.

To untrust any individual computer, you have to untrust them all, via the not-in-any-way-obvious and deeply nested Settings > General > Transfer or Reset iPhone > Reset Location & Privacy screen, under a misleading heading that suggests these options are only useful when you buy a new iPhone:

Hard-to-find iOS option for unrtusting computers you’ve connected to before.

What to do?

  • Avoid unknown charging connectors or cables if you can. Even a charging station set up in good faith might not have the electrical quality and voltage regulation you would like. Avoid cheap mains chargers, too, if you can. Bring a brand you trust along with you, or charge from your own laptop.
  • Lock or turn off your phone before connecting it to a charger or computer. This minimises the risk of accidentally opening up files to a rogue charging station, and ensures that the device is locked if it gets grabbed and stolen at a multi-user charging unit.
  • Consider untrusting all devices on your iPhone before risking an unknown computer or charger. This ensures there are no forgotten trusted devices you may have set up by mistake on a previous trip.
  • Consider acquiring a power-only USB cable or adapter socket. “Dataless” USB-A plugs are easy to spot because they have only two metallic electrical connectors in their housing, at the outer edges of the socket, rather than four connectors across the width. Note that the inner connectors aren’t always immediately obvious because they don’t come right to the edge of the socket – that’s so the power connectors make contact first.

Power-only bicycle light USB-A connector with outside metallic connectors only.
The pink rectangles indicate roughly where the data connectors would be.

Products You May Like

Articles You May Like

HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft
LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages
Sophisticated TA397 Malware Targets Turkish Defense Sector
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware

Leave a Reply

Your email address will not be published. Required fields are marked *