People are usually fond of traveling to new places, but who knew that among the other risks: charging your devices could become one. It is true indeed! Recent news revealed how scammers are targeting public charging ports as a way to hack into your device. To check the whole story, take a deeper look at our article.
A new warning about “juice jacking” attacks will make you reconsider how to charge your devices in public. In one of the recent security alert from the Los Angeles District Attorney had warned travelers to avoid charging their smartphones and other devices using public USB power charging stations. Such charging stations may contain dangerous malware. In the past few years, several proofs of concepts have been created among which the most notorious was Mactans, which was unveiled at the Black Hat security conference back in 2013. While even if the device may look like an ordinary USB wall charger, it actually holds the capability to deploy malware on iOS devices.
Officials from the cybersecurity department, warn about the dangers of using public USB charging stations. Travelers must use only AC charging ports, use USB no-data cables, or “USB condom” devices. The travelers are advised not to use public USB power charging stations in airports, hotels, and other locations as they may contain some dangerous malware said the Los Angeles District Attorney in a security alert published last week.
Initially, USB connections were designed to work as both data and power transfer mediums, with no strict barrier between the two. Gradually as smartphones became more popular in the past decade, security researchers figured out that, they could abuse USB connections that a user might usually think was only used for charging purposes but in actual delivers secret data payloads. Such types of attacks are known as “juice jacking.”
For the past many years, several proofs-of-concept were created. The most notorious was the Mactans, which was presented at the Black Hat 2013 security conference, which was a malicious USB wall charger that could deploy malware on iOS devices.
A well-known security researcher named ‘Samy Kamkar’ took the concept further with KeySweeper, a stealthy Arduino-based device, camouflaged as a functioning USB wall charger that wirelessly sniffs, decrypts, logs, and then reports back all keystrokes (over GSM) from any Microsoft wireless keyboard available.
Following Kamkar’s release of KeySweeper, the FBI sent out a nation-wide alert at the time, warning organizations against the use of USB chargers and asking companies to review if they had any such devices in use.
Also, in 2016, another team of researchers developed another proof-of-concept malicious USB wall charger. This one could record and mirror the screen of a device that was plugged in for a charge. The technique becomes known as “video jacking.” The LA District Attorney’s warning covers many attack vectors because there are different ways that criminals can abuse USB wall chargers.
Pluggable USB wall chargers are one of the most common ways for consumers to fall victim to a “juice jacking” attack as a criminal could easily leave behind a malicious charger at a public place such as the airport or hotel. Criminals also have the capability to load malware onto public charging stations which means that public USB ports also pose a security risk. These portable USB charging devices can be plugged into an AC socket, and due to which criminals can easily leave some of these behind “by accident” in public places, at public charging stations.
To avoid the “juice jacking” attack, LA officials recommend the travelers to use AC power outlets instead of USB charging stations and also to bring their own chargers when traveling. While traveling can certainly be fun, sometimes it is also the time that consumers are most likely to fall victim to a scam or even a cyberattack.
There are also USB chargers that are encased directly inside power charging stations installed in public places, usually where the user only has access to a USB port. However, LA officials still say criminals can load malware into public charging stations. This is the reason users should avoid using the USB port, and stick to using the AC charging port instead.
But the LA DA’s warning also applies to USB cables that have been left behind in public places. Microcontrollers and electronic parts have become so small these days that criminals can hide mini-computers and malware inside a USB cable itself. One such example is O.MG Cable.
But there are also other countermeasures that users can deploy. Like, the device owners can buy USB “no-data transfer” cables, where the USB pins responsible for the data transfer channel have been removed, leaving only the power transfer circuit in place. Such cables can be found on Amazon and other online stores.
There are also so-called “USB condoms” that act as an intermediary between an untrusted USB charger and a user’s device. Two such types of devices are SyncStop (also known as USB Condom) and Juice-Jack Defender. Many others also exist, and at one point, even Kaspersky researchers tried to build one — called Pure. Charger — but their Kickstarter fundraiser failed to raise the needed funds.
Update, November 15: After the publication of this article, there has been a wave of criticism from security researchers and the cyber-security community, who did not believe the LA DA’s security alert was adequate, as there have been no known cases of “juice jacking” incidents detected in the real world, and beyond experimental work presented at security conferences. Furthermore, many have pointed out that since the first juice jacking demos back in 2013, both Android and iOS have now incorporated popups in their user interface to alert a user when a USB port is attempting to transfer data, rather than just electrical power.
US authorities usually issue security alerts based on reports and threats they see in the real world. After failing to respond to a phone call yesterday, the LA DA told fellow tech news site TechCrunch today that the security alert was part of an educational campaign, and not based on juice jacking attacks they’ve detected in the wild. The original LA DA advisory is still labeled as a “fraud alert” and “PSA” on the LA DA’s website, though, with no evidence this is part of an educational campaign. However, the advice given to travelers is in no way bad or incorrect, and users should follow it.
Here are some of our other articles written below:
