If you hadn’t heard of the cybersecurity buzzword “juicejacking” until the past few days (or actually never heard of it until you opened this article), don’t panic.
You are not out of touch.
Here at Naked Security, we knew what this meant. Not because it’s an obvious and public danger, but because I remembered this word some time ago. Tips on it:
In 2011, the term was quite new (as far as we could tell) and has been variously written as: juice jacking, juice jackingAnd exactly in our opinion juice jackingCreated to illustrate a cyberattack technique just demonstrated at the Black Hat 2011 conference in Las Vegas.
Juicejacking Explained
The idea is simple. Especially at airports, people who tuck their phone chargers deep in their carry-on luggage or into the cargo hold of an airplane they can’t get out. Approachable and often suffers from charge anxiety.
Phone charging anxiety, first prevalent in the 1990s and 2000s, is the equivalent of electric vehicle range anxiety today. Right now, I can’t squeeze more even though I only have a few juices. You have a few minutes to spare in case you hit a snag later on in the journey.
However, your phone will charge through a specially designed USB cable that can transfer both power and data.
So, if you plug your phone into a USB outlet provided by someone else, how can you be sure that it’s only providing charging power and not secretly trying to negotiate a data connection with the device at the same time?
What if you had a computer on the other end not only supplying 5V DC, but cleverly trying to interact with your phone behind your back?
The simple answer is that we are not sure. Especially since it’s 2011 and attending the Black Hat conference Mactans: Malicious charger injects malware into iOS devices.
word Mactan meant BWAIN or A bug with an impressive name (Derived from the small but venomous black widow spider, latrodectus mactans) Nicknamed “juicejacking”.
Interestingly, Apple responded to the juicejacking demo with a simple but effective change in iOS. This is very similar to how iOS reacts today when connected via USB to an as-yet-unknown device.
Android also doesn’t allow computers it hasn’t seen before to exchange files with your phone until you tap OK on your phone after unlocking it.
Is juice jacking still a thing?
In theory, it can no longer be easily overwhelmed, as both Apple and Google have adopted defaults that remove the element of surprise from the equation.
You can be tricked, tricked, coaxed, or whatever into agreeing to trust a device you don’t want later.
…but at least in theory, data collection can’t happen behind the scenes without first seeing the visible request and then responding directly by pressing a button or selecting a menu option to activate.
So we were a bit surprised to see both. USA FCC (Federal Communications Commission) and FBI (Federal Bureau of Investigation) has been publicly warning people about the dangers of juicejacking over the past few days.
If your battery is low, charging your electronic devices at free USB port charging stations in airports or hotel lobbies can have unfortunate consequences. You can fall victim to “juicejacking,” another cyber theft tactic.
Cybersecurity experts warn that malicious actors can load malware into public USB charging stations to gain malicious access to electronic devices that are charging. Malware installed via a compromised USB port can lock the device or export private data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors.
and According to Denver’s FBIColorado:
Malicious actors have figured out how to use public USB ports to introduce malware and monitoring software into devices.
How safe are power supplies?
Make no mistake. We do not know how safe and reliable the voltage converters in the charging circuit are, so we recommend that you use your own charger whenever possible and do not rely on unknown USB connectors or cables.
You never know if you’ll get a well regulated 5V DC or voltage spikes that will harm your device.
Destructive voltages can arrive accidentally, for example, from cheap, cheerful, unsafe charging circuits that have failed illegally and saved a few cents on manufacturing costs. follow the appropriate standards It is intended to isolate the mains and low voltage parts of the circuit.
Alternatively, malicious voltage spikes may arrive intentionally. Longtime Naked Security readers looked like USB storage sticks, but USB killerWe wrote in 2017:
By using normal USB voltage and current to charge a capacitor bank hidden inside the device, it quickly gets to the point where it can radiate 240V spikes back into your laptop or phone, possibly frying it (perhaps giving it a nasty shock). if you were holding or touching it at the time).
How secure is your data?
But what about the risk that data could be surreptitiously leaked by the charger, which also acts as the host computer, and take control of the device without permission?
Are the security improvements introduced since the Mactans juicejacking tool in 2011 still in effect?
We base our thinking on connecting iPhone (iOS 16) and Google Pixel (Android 13) to Mac (macOS 13 Ventura) and Windows 11 laptop (2022H2 build).
First, neither phone automatically connects to macOS or Windows the first time you connect, whether locked or not.
When connecting my iPhone to Windows 11, I was asked to authorize the connection each time before viewing content through my laptop. I had to unlock my phone to see the authorization popup.
The first time you connected your iPhone to your Mac, you had to agree to trust the other person’s computer. You obviously had to unlock the phone to do that. Finder app when connecting later (even if locked at the time):
Our Google phone has a USB connection no data Every time we plug in the mode, i.e. setting Apps that require you to unlock your device first:
The host computer knows that a phone is connected whenever it is connected, so it has access to the device name and various hardware identifiers. The phone itself was clearly off-limits.
The Google phone behaved the same way the second, third or subsequent time I connected it, identifying that there was a connected device, but automatically no data As shown above, the file is not visible by default on both macOS and Windows.
iPhone not trust computer
By the way, one annoying faulty feature of iOS (which we consider a bug, but that’s just an opinion, not a fact) is that iOS doesn’t have a menu. setting An app that allows you to view a list of previously trusted computers and revoke trust for individual devices.
You must remember which computers you trusted, and you can only revoke that trust in an all-or-nothing way.
If you don’t want to trust individual computers, you have to distrust all computers in an obscure and deeply nested way. setting > Normally > Transfer or Reset iPhone > Reset location and privacy On the screen, under the misleading heading that these options are only useful when buying a new iPhone:
What should I do?
- If possible, avoid using unknown charging connectors or cables. Even diligently installed charging stations may not have the desired electrical quality and voltage regulations. If possible, avoid even cheap mains chargers. Carry your trusted brand or charge it from your laptop.
- Lock or turn off your phone before connecting it to a charger or computer. This minimizes the risk of accidentally opening a file on a rogue charging station and ensures that the device is locked if it is grabbed and stolen from a multi-user charging device.
- Before risking an unknown computer or charger, we recommend that you distrust any device on your iPhone. This way, you won’t have forgotten trusted devices that you may have accidentally set up on previous trips.
- Consider buying a power-only USB cable or adapter socket. “Dataless” USB-A plugs are easy to spot because they only have two metal electrical connectors in the housing on the outside edge of the socket, rather than four connectors across the width. Internal connectors aren’t always immediately obvious, as they don’t come right up to the edge of the socket. That is, the power connector will make contact first.
The pink rectangle indicates the approximate location of the data connector.
.