Juice Jacking History and Press
Juice Jacking is a cyber-attack where compromised USB-port charging stations exploit the data-exchange function of USB charger chords in order to gain access to sensitive information on the user’s linked smart device. Juice Jacking was first introduced to the mass market at an American Def Con[1] Hacking Conference where charging stations were set-up offering mobile device charging points for attendees with smart devices low on battery; the USB charging cables were not compromised, however used the data exchange capabilities of USB drives to display a notification on the user’s smart device indicating that their information can be at risk when charging using an untrusted, public USB-port charging point. The demonstration served the purpose of educating users about the dangers of charging their smart devices, particularly Apple devices[2], using untrusted USB-ports. Following this demonstration, in 2013 Snowden reports supposedly submitted that the NSA had used Juice Jacking to install malware onto smart device firmware in order to track information of persons of interest however, as at 2015, no reported incidents of Juice Jacking had been submitted to policing institutions[3] (importantly, due to the nature of Juice Jacking attacks, it is uncertain whether, due to naivety surrounding the issue of Juice Jacking, individuals erroneously report instances of Juice Jacking as traditionally understood hacking). Irrespective of these facts, antivirus giant Kaspersky[4] warned of the dangers of Juice Jacking and news stations have detailed and warned of the dangers of Juice Jacking[5]. Hollywood has also taken advantage of the fear, anxiety and consequences surrounding the possibility of Juice Jacking by allowing Juice Jacking a central theme in an episode of the television series CSI:Cyber[6].
Increased media coverage of Juice Jacking resulted in consumer concerns over charging smart devices using public USB-ports and highlighted the need for Android and iOS software developers to protect respective smart device users against data transfers via USB-ports when charging. In response to the identified vulnerabilities and data security issues presented by USB-port charging, Android and iOS developers nuanced their software to prompt users to select trusted or untrusted USB-port when the smart device was connected via a USB-port for charging purposes; whilst this provides a mitigation strategy against Juice Jacking, it does not protect against a user habitually selecting “trusted”, when the USB-port is, in fact, “untrusted”[7]. In addition to software alterations, Android and iOS developers also began releasing software updates containing necessary security information to prevent various identified threats; however, system information containing the software required to thwart these attacks is often incorporated in systems updates that require internet connection and access to sufficient internet data[8]. In an environment of progress, it is important that systems security updates are frequently integrated into user software and available to all devices for download. As at 2018, software and security updates were deemed insufficient to support and promote smart device security owing to delays and device specific availability to security updates, the lack of which leaves particular smart devices vulnerable to Juice Jacking and other smartphone attacks[9].
In response to the inefficiency of system’s security updates, antivirus software has been developed for mobile devices, however, mobile antiviruses have received variable success; the antivirus software not being comprehensive enough to combat the varying origins of malware threats[10] and the level of security offered by the antivirus insufficient to protect smart device software from malware penetration[11]. Notably, in South Africa, Vodacom has partnered with Norton to make Norton antivirus subscription services available to Vodacom customers; however, Norton is advertised as having limited capabilities to protect iOS devices and seems to specialize in Android phone protection[12]. Although mitigating behaviors and software protections have been developed to prevent the likelihood of Juice Jacking, and developers and antivirus providers alike have aimed to position themselves in the market as a means of smart device hacking prevention, there are several other means of USB-port data exchange exploitation that can be used in order to obtain personal information from (or transfer malware data to) user smart devices.
USB-ports and USB-cables have capability to charge a selected smart device and also transfer information, or data, between connected smart devices and USB-port sources. The data transfer of USB-port is bidirectional, thus charging a smart device (compromised by downloading applications infected with malware) on a personal computer or other data rich hardware might enable malware to transfer from the smart device to the charging source[13] compromising the charging hardware by inadvertently converting the charging device to a vector for the transfer of malware onto other target devices charged using the same USB-port outlet[14]. In order to ensure that a charging source becomes a malware vector, hackers modify firmware information of the selected device, imbedding the functional code with malware[15], which is difficult to identify as malware, as the malware is masked by the firmware code. Should a smart device carry such malware vectors obtained through use of public USB charging points, any other USB port charging device can be compromised and modified to become a vector; these include PS4/PS3 consoles, personal computers, electronic cigarette chargers[16] , portable WiFi routers and power banks. Notably, information transferred to vector smart devices might infect the aforementioned devices’ software and compromise their function – rental cars are also vulnerable to this attack. Rental vehicles have also been proposed as malware vectors where motor vehicle software (provided access to smart devices via data exchange functionality of installed vehicular USB-ports used to charge passengers smart devices) obtains and stores user mobile information, which might include malware, and if user information is not erased from the motor vehicle’s software, previous user information (or malware) becomes available to new renting users[17]. Although some Juice Jacking attacks aim to use devices as malware vectors, other Juice Jacking attempts aim to hijack smart devices using a more invasive Juice Jacking approach.
Engineers interested in Juice Jacking and routes of exploitation of USB-port data exchange have demonstrated that it is possible to manipulate USB-codes and alter the manner in which charging firmware recognizes the plugged-in device. The engineers have reportedly managed to encrypt a device to alter the way that the connected device’s data is processed and communicated when the device is charged via a USB-port connected to another smart device. The smart device that is the charging source identifies the charging smart device as a URL/web key and opens the link in the background. In this type of Juice Jacking attack, the URL/web key is usually linked to a website that surreptitiously downloads malware onto target devices[18]. A research paper was published indicating that it was possible to use a USB connection to instruct a computer device to follow a particular sequence of key-strokes to introduce malicious software onto a target computer device[19]. A similar manipulation is reported to occur with smart devices with mobile internet connection; it has been proposed that charging a smart device using a compromised USB-port (irrespective of the security measures in place) allows hackers access to the device’s mobile connection. Hackers are able to send data to the target device instructing the cellular network to surreptitiously download malware onto the charging smart device. Thus, data could be transferred from the untrusted or vandalized USB-port to the smart device’s network connection, which instructs the mobile device to download particular applications or URL-linked malware, which allows hackers access to private smart device data[20].
Information exchange might not be necessary for hackers to obtain access to target smart devices as a new strategy has identified USB cables as the means through which persons are able to gain access to smart devices and personal computers. The USBHarpoon is a modified USB cable encrypted to action particular sequences of keystrokes, which allow the background installation of malware onto target firmware devices[21]. These modified USB cables contain Wi-Fi or Bluetooth technology allowing hackers to obtain control of target firmware within a designated remote distance[22]; hackers are able to send remote instruction to the target device to transfer or execute particular downloads depending on the type of device the hacker identifies as plugged into the compromised USBHarpoon. The USBHarpoon is not isolated in use and is capable of infecting other USB linked devices as well, including drones[23], which become vectors for the infection of other smart devices including personal computers.
[1] https://www.ficpa.org/content/News/BizTechNews/TechTips/Juice-Jacking-Protect-Your-Devices.aspx [2] https://securitywatch.pcmag.com/hacking/314361-black-hat-don-t-plug-your-phone-into-a-charger-you-don-t-own [3] Salisbury, 2015 Form ART-68 [4] https://gulfnews.com/going-out/society/public-phone-charging-kiosks-can-leave-you-drained-1.2248331 [5] https://www.youtube.com/watch?v=pYmMoUCMB7A and https://www.youtube.com/watch?v=gey9lt2lTtc and https://money.cnn.com/2017/02/15/technology/public-ports-charging-bad-stop/index.html [6] https://www.tvovermind.com/csi-cyber-season-1-episode-9-review-l0m1s/ [7] https://www.usatoday.com/story/travel/advice/2016/12/18/hacking-plugs-ports/95511936/ [8] https://www.cnet.com/news/your-smartphones-are-getting-more-valuable-for-hackers/ [9] https://www.pcmag.com/article/362443/how-to-get-infected-with-malware [10] https://www.extremetech.com/computing/104827-android-antivirus-apps-are-useless-heres-what-to-do-instead [11] https://www.extremetech.com/mobile/287790-most-android-anti-malware-apps-dont-offer-any-protection [12] https://www.vodacombusiness.co.za/business/solutions/data-storage-and-tracking/antivirus [13] https://www.forbes.com/sites/daveywinder/2019/03/13/new-android-app-malware-infects-250-million-downloads-heres-what-you-need-to-know/#6d259fab60fd [14] https://www.bleepingcomputer.com/forums/t/639307/scan-mobile-phones-for-malware-that-can-infect-pc-windows-81/ [15] Mulliner & Michele, unknown [16] https://us.norton.com/internetsecurity-malware-malware-101-how-do-i-get-malware-simple-attacks.html [17] https://www.consumer.ftc.gov/blog/2016/08/what-your-phone-telling-your-rental-car [18] https://digitalguardian.com/blog/little-usb-horrors [19] https://dl.acm.org/citation.cfm?id=1920314 [20] https://www.leaderquestonline.com/blog/juice-jacking-usb-attack-vector/ [21] https://www.myce.com/news/new-usbharpoon-attack-installs-malware-through-usb-charging-cable-84978/ [22] https://www.extremetech.com/computing/285646-offensive-usb-cables-embed-wi-fi-can-remotely-control-connected-pc [23] https://fossbytes.com/usbharpoon-usb-cable-malware-transfer/