Protecting against Juice Jacking
Protection Against Juice Jacking
Smart devices make life easier but can become a double-edged sword in an environment of increasingly innovative and sophisticated cyberattacks. An innocuous-looking charging station can be weaponised by bad actors seeking to steal private information or carry out espionage.
The risk that a charging port can infect or take over smartphones or smart devices is very real. However, the threat is realised only once charging has occurred. As is the case in other types of cyberattacks, human behaviour becomes an enabler of juice jacking, the technical term used to denote a method employed by cybercriminals to steal personal information through public charging kiosks.
Juice jacking: An introduction
Juice jacking involves using a free public charging terminal to install malware on the devices that are charged using it. Once inside the infected device, the malware copies sensitive data stored on it.
The science behind juice jacking is quite simple. Every smartphone comes with a USB charger that uses the same cable to charge the device and for a data connection. When a smartphone owner uses a compromised public charging kiosk to charge their mobile, they expose it to the rogue elements who have hacked the kiosk. Once inside the system, hackers can pair the device with a computer system. The cybercriminal can also inject malicious code onto the device to steal private data.
Even if malware is not injected into the affected device, the hacker will have unhindered access to the system and can potentially execute an attack anytime and from anywhere to steal sensitive information such as credit card numbers, photos, address book, notes, and typing cache. The hacker can also take a complete backup of the device.
The concept of juice jacking was first introduced by Brian Krebs in 2011. Krebs said that it was quite easy for hackers to conceal a computer inside a public charging kiosk that would inject malware into the mobile devices charged using it. In the same year, he wrote an article on his security journalism site Krebs on Security. The piece discussed the security threat at length.
In 2012, the NSA instructed government officials who travel extensively to avoid using public kiosks or someone else’s computer to charge their devices.
The Android Hacker’s Handbook, a comprehensive resource for security professionals, includes a section dedicated to juice jacking and the ADB-P2P framework.
Why juice jacking can be a potent threat in the future
Picture this: you’re outside, and your device runs out of juice. To make matters worse, you aren’t carrying a power bank or charger. Suddenly, you spot a free charging public kiosk. Do you hesitate to plug-in your device? If your answer is no, you’re not alone.
Most people aren’t aware of the potential threats they’re exposed to when using a public charging kiosk. To educate people on the perils of using random power stations to juice up their mobile devices, three researchers, Markus, Joseph Mlodzianowski, and Robert Rowley built a kiosk and stationed it at Rio Hotel and Casino, where the 2011 DefCon, one of the largest hacking conventions in the world, was held.
Surprisingly, several (around 360) attendees used the kiosk, which shows a lack of public awareness about the threat of using a public charging kiosk. When asked what made them use the kiosk, some attendees replied that they wanted to make an urgent call. One attendee was so eager to make a call that he didn’t care even if his data got compromised as a direct result of his actions. Others replied that they had planned to clean their phone after leaving the conference.
In another social experiment, security firm Authentic8 offered a free charging station with cords and adapters to attendees. Around 80% of the people used the charging station without inquiring about the security measures taken by the company.
Many people would point at increasing reliance on smartphones as the root cause of the problem here. We beg to differ. Failure to carry your own charging devices and lack of awareness on juice jacking, and not overdependence on smartphones, increases the chances of you falling victim to a cyberattack.
Ever since the term juice jacking was first coined, many researchers have been researching extensively on different attack vectors. We can safely assume that several hackers around the world to are actively looking for ways to exploit security vulnerabilities of smart devices.
Juice jacking poses a security risk to mobile phones, laptops, and smart gadgets. The risk looms large at airports, hotels, theme parks, restaurants and public areas with charging kiosks. As laptops and smart devices carrying sensitive information are increasingly brought along for work purposes, cybercriminals have immense opportunities to carry out juice jacking attacks.
As hackers learn more about the nature of the threat and how they can use different attack vectors to gain access to their victims’ devices, we can expect juice jacking cases to surface soon. Additionally, because our dependability on mobile phones is not going to decrease anytime soon, experts expect the threat of juice jacking to be around for quite some time.
How bigwigs have reacted to the threat
After juice jacking was first introduced to the world, both Apple and Android have taken several steps to beef up the security of their devices.
After the threat surfaced, Apple started including a feature in its iOS devices that prevents them from automatically mounting as a hard drive when plugged in over a USB. Additionally, Apple released security patches that focus on addressing security vulnerabilities.
Android devices have a feature that prompts the user to permit the device to mount as a hard drive when plugged in over USB. Android also uses a whitelist verification step for Android 4.2.2 devices that prevents unauthorised users from accessing the Android Debug Bridge.
There are also dedicated devices designed to prevent juice jacking and allow safe charging of smart devices at public charging stations. An example is XXX, a USB charger that disallows the potential transfer of data across devices or from smart devices to the firmware. To safely charge your devices, insert your USB cable into XXX and then connect it to the charging device. XXX’s security design acts as a strong line of defence against juice jacking. As a simple plug-and-play adapter, XXX’s lightweight design makes it convenient to carry around.
Tips to prevent juice jacking
Though juice jacking is a relatively new cybersecurity threat and no cases have been reported so far, you cannot afford to drop your guard. Given the fact that the concept has been proved to hold water, the threat posed by public charging stations is very real. The setup required to plan and execute these attacks is easily available in the market. If a juice jacker enters your smart device, they may release your private information on the internet or misuse your data to commit cyber fraud, which is why you need to be extra cautious with your mobile devices.
Thankfully, it doesn’t take much to steer clear of this cyber threat. Here are some ways to protect your devices:
1. Keep your devices charged
Inculcate the habit of keeping your mobile devices such as smartphones and tablets charged. Before leaving your home, ensure that your mobile is fully charged. A good practice is to charge your phone whenever you are not using it.
2. Carry your power bank or charger
Make carrying your charger a habit. If you are using a bulky charger, consider switching to a compact and portable power bank that is easy to carry around. Most power banks feature a sleek design and can easily fit into a carry bag. With your power bank or charger by your side, all you would need to do when your battery is low is to find a power outlet. You can always carry a spare charger in your carry bag. This way, you don’t have to rely on a public charging kiosk when your device runs out of juice.
Alternatively, if your device has a removable battery, consider carrying a spare battery.
3. Avoid USB chargers
If you don’t have any other option and are forced to use a public device for charging your smartphone or any other mobile device, make sure it is an AC/DC charger with a one-way charge, offering only a connection between the device it is charging and the charger.
4. Use power-only cables
Prefer charge-only data cables to data cables. Though there are no visual cues to differentiate between the two, once you know how these cables function, you can easily tell charge-only cables from data cables.
While a charge-only cable (as the name suggests) is designed to charge devices, a data cable comes equipped with separate data and charging ports that not only help charge mobile phones but also facilitate data transfer between your device and other devices. Because charge-only cables can’t facilitate data transfer, you must always use a power-only cable for connecting your device to a public charging kiosk. Apart from helping to avoid security concerns, power-only cables also save time as they are known to supply higher current charges.
5. Switch off your device when charging
Even if you have to use a public charging kiosk, don’t worry. To avoid security concerns, switch off your device before starting to charge, as data transfer occurs only when the smart device being charged is switched on. This will not only speed up the charging process but will also keep cybercriminals at bay. If, however, you are using a Windows phone, you are still at risk as Windows phones switch on automatically when plugged into a power source.
6. Use your phone’s security features
If you have to rely on a public charging kiosk, make it a point to use your phone’s security features. Most mobile phones have a security feature that seeks the owner’s permission before transferring data. If you are using a public kiosk or do not trust the connection, choose Cancel. Selecting Cancel will only let the power supply flow between the two devices.
Most smartphones come with a feature that allows the user to set a passcode (can be a pin) that can be used to unlock the phone. If your phone has this feature, remember to lock your phone before plugging it into an outlet. Doing so would prevent your device from being paired with the charging device.
7. Use a USB condom
A USB condom is designed to facilitate only the flow of current between the two devices. A USB condom works by cutting off the connection of data transfer pins of the USB port. To convert your USB data cable into a charge-only cable, you need to insert the USB condom in one end of your data cable. Doing so will prevent the device from transferring data to the charging device it is connected to.
Be very careful when choosing a public charging kiosk. Stay away from kiosks that are placed in suspicious locations.
How vulnerable is an average mobile device?
To answer this question, Billy Lau, a research scientist at the Georgia Institute of Technology, performed a Black Hat demonstration at a conference that involved using a juice-jack malware to take screenshots from mobile devices of thousands of attendees when passwords were entered.
Published research on juice jacking
In 2012, security researcher Kelly Osborne released P2P-ADB, an attack framework that included examples and proof of concepts that allow the publisher to unlock their victim’s phone and steal data.
During the 2014 Blackhat security briefings, researchers Karsten Nohl and Jakob Lell published a paper on BadUSB, a class of malware that provides low-level control for the infected device’s hardware. In their presentation, the duo mentioned that an expert hacker could easily use a mobile device plugged into an infected computer to spread BadUSB.
In 2016, security researchers at Aries Security joined hands with researchers at the Wall of Sheep to uncover insights on juice jacking. The study involved setting up a video jacking charging station that recorded the mirrored screen from infected phones (devices that were plugged into the charging station). Many affected phones were Android devices that supported SlimPort or MHL protocols.
What is trustjacking, and how does it work?
At the 2018 RSA Conference, security researchers from Symantec presented their findings on an attack they named Trustjacking. Researchers found that approving access for a computer on an iOS device over USB also allows access to the iOS device even after it has been unplugged from an infected charge source.
When a user connects their iOS device to a new computer, they are asked whether they trust the device. If the user trusts the connection, the charging device gets permission to communicate with the iOS device through the standard iTunes APIs, which enables it to access information stored on the phone. Additionally, the device will be able to take backup and install applications without requiring any other confirmation.
Choosing to trust a charging device also activates the iTunes Wi-Fi sync feature that allows the device to communicate with your phone even after you disconnect it from the computer. The communication will continue as long as your device and the computer are connected to the same network.
Once they can get into your system, a hacker can easily get a live stream of your device’s screen by repeatedly accessing screenshots. The fact that no notification is issued to the user informing them that by choosing to trust the computer, they are permitting the system to communicate with their device even after the USB cable is disconnected, makes the situation even scarier.
A trustjacker can do much more than just viewing their victim’s screen. They can also create a remote backup to get access to photos, app data, and iMessage chats history. And the victim’s nightmare does not end here. The trustjacker can also install malicious apps or replace original apps with copies that look exactly like them. These apps can be used to track the victim’s every move.
To execute these attacks, the malicious device and the victim’s device should be connected to the same network. That said, this is not the only way to carry out these attacks. A hacker can use a VPN server to create a continuous connection, which eliminates the requirement of the two devices being in proximity to each other. Using this method, a hacker can also attack a device that is connected to another network.
Some clear signs that your mobile device has been hacked
If your phone takes aeons to download an app or load a website, there are chances that it has been hacked. A malware running in the background can impact the infected device’s network connection, resulting in performance issues. There can, however, be legitimate reasons behind the problem. In many cases, performance issues arise when an update runs in the background or the memory is almost full. Before concluding, check your phone.
Strange text messages
If your friends claim to receive messages that you never sent them, there are good chances that your phone’s security has been compromised. Likewise, if you have been receiving strange text messages lately, they may be related to a security threat.
Battery drains quicker than before
When a malware runs in the background to steal your personal information, it requires power to perform its designated task. This power is derived from the phone’s battery. If your phone’s battery drains quicker than before and it gets extremely hot, you have every reason to be worried.
Websites appear different than before
When malicious software is successfully installed on a device, it relays communication between the browser and the internet, which may impact the way websites display on the device.
The device attempts to access bad sites
If the network that you use blacklists problematic sites, your device should not be able to access them. A compromised phone, however, will try to access bad sites or networks even without the owner’s permission.
Pop-ups appear from nowhere
Some malware creates pop-ups that ask the user to perform certain actions. If you are seeing more pop-ups than before, beware!
High cellphone bills
Often, cybercriminals use hacked devices to make overseas calls or send international SMSs. If you have been receiving unusually high cellphone bills lately, there is a good chance that your phone is not as secure as you think.
Increase in the use of data or text messaging
Do you check your phone’s SMS usage data regularly? You should! Often, hacked phones use SMSs to transfer data from the compromised device. It is also highly recommended that you check data usage per app regularly. If an app is using more data than necessary, you should be concerned. If you downloaded the app from a third party, consider deleting it.
Emails sent from the device are getting blocked
If the emails that you send using the device are getting blocked by filters, there is a good chance that your configuration has been tweaked and an unauthorised server is being used to relay the information to a scamster who is reading all your communications.
Malware may interfere with the functionality of certain apps. When this happens, the app may stop functioning.
A hacked device exhibits symptoms sooner than later, and they’re not hard to miss most of the time. The solution lies in tracing your steps back to what might have happened and what the cybercriminal wants from you. Unless you’re aware of juice jacking, you may not realise that charging your phone at the airport kiosk during your last business trip contributed to the security threat.
Though juice jacking is not a major threat today, experts warn smartphone users against letting their guard down. To avoid becoming a soft target for a juice jacker, assume that every public outlet is compromised. Use your own charging devices and plug them directly into a wall outlet. Avoid relying on a random USB port and never unlock your phone when charging. Most importantly, do not take the security of your devices for granted.