Your smartphone needs a recharge yet again and you’re miles from the charger at home; that public charging kiosk is looking pretty promising–just plug your phone in and get the sweet, sweet, energy you crave. What could possible go wrong, right? Thanks to common traits in cellphone hardware and software design, quite a few things–read on to learn more about juice jacking and how to avoid it.
Regardless of the kind of modern smartphone you have–be it an Android device, iPhone, or BlackBerry–there is one common feature across all phones: the power supply and the data stream pass over the same cable. Whether you’re using the now standard USB miniB connection or Apple’s proprietary cables, it’s the same situation: the cable used to recharge the battery in your phone is the same cable you use to transfer and sync your data.
This setup, data/power on the same cable, offers an approach vector for a malicious user to gain access to your phone during the charging process; leveraging the USB data/power cable to illegitimately access the phone’s data and/or inject malicious code onto the device is known as Juice Jacking.
The attack could be as simple as an invasion of privacy, wherein your phone pairs with a computer concealed within the charging kiosk and information like private photos and contact information are transferred to the malicious device. The attack could also be as invasive as an injection of malicious code directly into your device. At this year’s BlackHat security conference, security researchers Billy Lau, YeongJin Jang, and Chengyu Song are presenting “MACTANS: Injecting Malware Into iOS Devices Via Malicious Chargers”, and here is an excerpt from their presentation abstract:
In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.
To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish.
Using cheap off-the-shelf hardware and a glaring security vulnerability, they were able to gain access to current generation iOS devices in less than a minute, despite the numerous security precautions Apple has put in place to specifically avoid this kind of thing.
This sort of exploit is hardly a new blip on the security radar, however. Two years ago at the 2011 DEF CON security conference, researchers from Aires Security, Brian Markus, Joseph Mlodzianowski, and Robert Rowley, built a charging kiosk to specifically demonstrate the dangers of juice jacking and alert the public to just how vulnerable their phones were when connected to a kiosk–the image above was displayed to users after they jacked into the malicious kiosk. Even devices that had been instructed not to pair or share data were still frequently compromised via the Aires Security kiosk.
Even more troubling is that exposure to a malicious kiosk could create a lingering security problem even without immediate injection of malicious code. In a recent article on the subject, security researcher Jonathan Zdziarski highlights how the iOS pairing vulnerability persists and can offer malicious users a window to your device even after you’re no longer in contact with the kiosk:
If you’re not familiar with how pairing works on your iPhone or iPad, this is the mechanism by which your desktop establishes a trusted relationship with your device so that iTunes, Xcode, or other tools can talk to it. Once a desktop machine has been paired, it can access a host of personal information on the device, including your address book, notes, photos, music collection, sms database, typing cache, and can even initiate a full backup of the phone. Once a device is paired, all of this and more can be accessed wirelessly at any time, regardless of whether you have WiFi sync turned on. A pairing lasts for the life of the file system: that is, once your iPhone or iPad is paired with another machine, that pairing relationship lasts until you restore the phone to a factory state.
This mechanism, intended to make using your iOS device painless and enjoyable, can actually create a rather painful state: the kiosk you just recharged your iPhone with can, theoretically, maintain a Wi-Fi umbilical cord to your iOS device for continued access even after you’ve unplugged your phone and slumped into a nearby airport lounge chair to play a round (or forty) of Angry Birds.
We’re anything but alarmist here at How-To Geek, and we always give it to you straight: currently juice jacking is a largely theoretical threat, and the chances that the USB charging ports in the kiosk at your local airport are actually a secret front for a data siphoning and malware-injecting computer are very low. This doesn’t mean, however, that you should just shrug your shoulders and promptly forget about the very real security risk that plugging your smartphone or tablet into an unknown device poses.
Several years ago, when the Firefox extension Firesheep was the talk of the town in security circles, it was precisely the largely theoretical but still very real threat of a simple browser extension allowing users to hijack the web-service user sessions of other users on the local Wi-Fi node that led to significant changes. End users started taking their browsing session security more seriously (using techniques like tunneling through their home internet connections or connecting to VPNs) and major internet companies made major security changes (such as encrypting the entire browser session and not just the login).
In precisely this fashion, making users aware of the threat of juice jacking both decreases the chance that people will be juice jacked and increases pressure on companies to better manage their security practices (it’s great, for example, that your iOS device pairs so easily and makes your user experience smooth, but the implications of lifetime pairing with 100% trust in the paired device are quite serious).
Although juice jacking isn’t as widespread a threat as outright phone theft or exposure to malicious viruses via compromised downloads, you should still take common sense precautions to avoid exposure to systems that may malicious access your personal devices. Image courtesy of Exogear.
The most obvious precautions center around simply making it unnecessary to charge your phone using a third-party system:
Keep Your Devices Topped Off: The most obvious precaution is to keep your mobile device charged. Make it a habit to charge your phone at your home and office when you’re not actively using it or sitting at your desk doing work. The fewer times you find yourself staring at a red 3% battery bar when you’re traveling or away from home, the better.
Carry a Personal Charger: Chargers have become so small and lightweight that they scarcely weigh more than the actual USB cable they attach to. Throw a charger in your bag so you can charge your own phone and maintain control over the data port.
Carry a Backup Battery: Whether you opt to carry a full spare battery (for devices that allow you to physically swap the battery) or an external reserve battery (like this tiny 2600mAh one), you can go longer without needing to tether your phone to a kiosk or wall outlet.
In addition to ensuring your phone maintains a full battery, there are additional software techniques you can use (although, as you can imagine, these are less than ideal and not guaranteed to work given the constantly evolving arms race of security exploits). As such, we can’t truly endorse any of these techniques as truly effective, but they are certainly more effective than doing nothing.
Lock Your Phone: When your phone is locked, truly locked and inaccessible without the input of a PIN or equivalent passcode, your phone should not pair with the device it is connected to. iOS devices will only pair when unlocked–but again, as we highlighted earlier, pairing takes place within seconds so you had better make sure the phone really is locked.
Power the Phone Down: This technique only works on a phone model by phone model basis as some phones will, despite being powered down, still power on the entire USB circuit and allow access to the flash storage in the device.
Disable Pairing (Jailbroken iOS Devices Only): Jonathan Zdziarski, mentioned earlier in the article, released a small application for jailbroken iOS devices that allows the end user to control the pairing behavior of the device. You can find his application, PairLock, in the Cydia Store and here.
One final technique you can use, which is effective but inconvenient, is to use a USB cable with the data wires either removed or shorted out. Sold as “power only” cables, these cables are missing the two wires necessary for data transmission and have only the two wires for power transmission remaining. One of the downsides of using such a cable, however, is that your device will usually charge more slowly as modern chargers use the data channels to communicate with the device and set an appropriate maximum transfer threshold (absent this communication, the charger will default to the lowest safe threshold).
Ultimately, the best defense against a compromised mobile device is awareness. Keep your device charged, enable the security features provided by the operating system (knowing that they aren’t foolproof and every security system can be exploited), and avoid plugging your phone into unknown charging stations and computers the same way you wisely avoid opening attachments from unknown senders.