The FBI’s Denver office issued a warning last week, telling folks not to plug into public USB charging stations. Instead, they said you should BYOC — bring your own charger.
And the worry isn’t just about phones. As more and more laptops can charge via USB PD, traveling dev staff (with credentials etc.) need to be aware.
But the “juice jacking” scare isn’t new. In this week’s Secure Software Blogwatch, we remember DEF CON 19’s Wall of Sheep village.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Picard theorizing.
Déjà vu, but carry protection
What’s the craic? Bruce Finley quietly broke this story last week — “FBI Denver warning: Don’t use free public phone charging stations”:
“Multiplied in recent years”
[FBI] officials in Denver are advising travelers and shoppers to avoid public free … charging portals, warning that “bad actors” use these to install malware and tracking software onto computers and phones. This is the practice commonly known as “juice-jacking.”
“Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices,” FBI officials announced. … “Carry your own charger … and use an electrical outlet instead.”
…
Free public charging stations have multiplied in recent years as operators of airports … increase services to accommodate growing numbers of people in transit. Hotel operators and shopping center managers also have installed the charging portals, and FBI officials warned these too could lead to the installation of … malware onto computers and smartphones.
How to protect yourself? June Wan advises — “How to stay protected”:
“Block out any data transfer”
The first option is a portable battery bank. By serving as the middleman, an external battery can be topped up without the risk of exposing any of your data and security, and then relay that energy to your smartphone, tablet, laptop, etc.
The second option is to charge with a USB data blocker. Like the portable battery, a USB adapter serves as a middleman between your personal device and the potentially malicious outlet. It achieves such security by doing away with the data wires traditionally found on USB cables. With the accessory attached to your charging cable, it will physically block out any data transfer between the outlet and your device.
Are you feeling some déjà vu? Sareen Habeshian and Sam Sabin are — “FBI warns”:
“Difficult attack”
The tweet from the FBI's Denver office did not identify any recent incidents that could have prompted the fresh warning. The FBI said it was just a regular reminder, and directed [me] to an online FCC consumer warning last updated in 2021.
…
Few cases of “juice jacking” have been publicly reported in recent years, and it’s a difficult attack for malicious hackers to pull off. … However, if successful, researchers have warned that “juice jacking” could give malicious actors unfettered access to their devices.
Slow news day? Kelsey Ables sets the Wayback machine — “What to know”:
“Unclear how common these attacks are”
The term … “juice jacking” … is said to date back to 2011, when researchers at DefCon created a charging kiosk that demonstrated the potential cybersecurity risks of such stations. Years later, in a world where our smartphones increasingly function as wallets, GPS, photo albums and an ever-running log of our personal communication and browsing history, accessing someone’s device can be practically as invasive as breaking into their home.
…
Officials have raised similar concerns in California, India and Nigeria. [But] it’s unclear how common these attacks are. And any instances of victimization have not been widely publicized.
Perhaps because there aren’t any? jacks smirking reven has bought the T-shirt:
“Like getting your card skimmed”
I feel like I have heard about this for as long as public chargers have been a thing. Back when I designed a charging station system that was installed in airports one of the considerations was putting in a charger that specifically didn't trigger any data notifications on phones so as to avoid the perception of this issue — and this was like over 8 years ago.
Most charging stations in public spaces really are pretty dumb simply to save money on the systems so installing some type of data line into them is going to require access to the guts of the machines, some solder work and some sort of extra board and communication protocols to get that data you jacked from the phones to the perpetrator. Even trickier when most public "chargers" are just combo AC/USB outlets. Seems like a lot of work to maybe get some peoples data from phones versus just phishing their data or purchasing it from one of the dozens of public breaches that happen every year.
Yes it's an risk, just like getting your card skimmed at the gas station is a risk or several of the other things. I would want to see some statistics of how many instances there are of this and what the consequences were before we just wholesale abandon a pretty useful free service we have come to expect.
Although Stephanie Hagan begs to differ:
I used the wireless chargers in Charlotte airport once and the same day I had 3 different people hack into my Hulu account! Never again.
Why is this a problem anyway? It’s ridiculous to allow a charging cable to exchange data. UnknowingFool edumacates us:
USB was made initially to carry information. It can charge devices and consumers are demanding more and more power draw as USB C/Thunderbolt is looking to be the defacto power/connection standard for laptops. This is not "Engineering Gone Wild" as much as "Current Trends in Electronics."
But nobody thought of the problem up-front. So now we’re applying band-aids such as security popups and data blockers — or, as ChuckNorris89 calls them — “condoms”:
Just like the internet and TCP-IP, USB was designed from the start to be as cheap and convenient as possible, before anything else, to get market traction, which it did. Security concerns came much later. If your threat model deems it, the solution is buying a USB condom which only pass through the power lines, not the data ones.
…
If you nag the user every single time they plug in the USB with a security prompt, they will just get desensitized and instinctively click 'YES' all the time.
Meanwhile, it’s still unclear why the Denver FBI dredged this story up yet again. bill_mcgonigle is at the end of his tether:
The FBI needs to be devolved back to the states.
And Finally:
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Mishaal Zahed (via Unsplash; leveled and cropped)
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Find the best building blocks for your next app with RL's Spectra Assure Community, where you can quickly search the latest safe packages on npm, PyPI and RubyGems.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.