Technical Juice Jacking

Research by IBM Security has found that a growing number of cybercriminals have travellers in their sights. The transportation industry has emerged as the second most-attacked industry. Travelers are carrying a wealth of data with them, from passports and payment information to itineraries and other information of value to bad actors.

One of the warnings concerns quick-charging mobile phone stations at airports. Cybercriminals could modify the USB connections of charging stations to exfiltrate or infiltrate mobile phones and smart devices left to charge.

Previously, the dedicated charging stations at airports required travellers to plug in a phone charger that connected to a wall electrical power outlet. Today, smartphones have USB ports that do double duty as charging ports and data ports. Many smartphones are configured to automatically transfer data or sync when they are plugged into USB ports.

A 2014 study by Microsoft found that five out of 10 malware attacks were worms spread by USB removable drives. In fact, any device with storage – wireless or with Bluetooth capabilities – can be an infection carrier. A single connection serving many devices, from keyboards, mice and tablets to mobile phones, smart devices and thumb drives, can be reprogrammed and turned malicious covertly.

Modification of charging stations using hardware to launch malicious attacks is known as juice jacking.

What makes juice jacking particularly dangerous is the ease with which it can be carried out on unaware device owners. For one, the hardware to facilitate juice jacking can be designed for as less as $10. For another, human tendency to plug into ubiquitous USB ports in airports, coffee shops, theme parks, hotel rooms, without consideration creates a fertile ground for such attacks.

Categories of USB attacks

USB attacks can take many forms to meet specific malicious ends, from data exfiltration and live tracking to device damage and running up mobile bills. The four categories and sub-categories of USB attacks are discussed below:

Programmable microcontrollers: Bad actors can reprogram a USB microcontroller to act as a human interface device (HID) such as a keyboard or mouse, and execute custom keystrokes on the target machine.

BadUSB: In 2014, researchers reverse engineered the firmware of USB microcontrollers from Taiwanese company Phison, a leading global USB maker. The reprogrammed firmware could impersonate a keyboard to allow the attacker to perform any keystrokes on the victim’s machine. As it affected the USB microcontroller’s firmware, the attack program would be stored in the rewritable code controlling the USB’s basic functions rather than its flash memory. This would make it impossible to detect the malware even by deleting the entire content of its storage.

Researchers also demonstrated how, by reprogramming the firmware, the USB’s security feature – that protects a certain portion of its memory by prompting a password – could be disabled, or that files be hidden in the invisible portion of the code.

The alarming part is that such attacks don’t necessarily require a big budget. In fact, juice jackers can compromise smart devices with a hack tool that costs less than $10.

Researchers who brought BadUSB to light warned that storage device manufacturers would not improve the security of their products if they felt that only those with big budgets could launch such attacks. The ability for the average hacker to inexpensively exploit devices has since prompted Apple and Google to patch known vulnerabilities in their operating system that can facilitate USB attacks.

Rubber Ducky resembles a regular USB flash drive and performs rapid keystroke injection attacks. The hack tool executes a programmed script in the target device within a matter of seconds after plugging in.

Hack tools with this modus operandi allow you to write payloads with a simple scripting language or use an online payload generator. Proceed to encode the Ducky Script using an open-source duck encoder or download a pre-encoded binary from the online payload generator. You can then load the micro SD card into the ducky and place it inside the USB drive enclosure. After this covert deployment, the ducky is ready to infiltrate the target machine.

PHUKD/URFUKED, where USBs are programmed to choose a specific time to activate a malicious key sequence. The types of attacks that can be potentially launched include:

Exfiltrating or infiltrating information
Installing a virus or remote administration tool
Disabling attacks such as removing all files in home directory
Financial attacks such as a eBay bid attack or Paypal transfer attack
Inappropriate web browsing or Facebook postings

USBdriveby is a device that covertly installs a backdoor and overrides DNS settings on an unlocked machine via USB and can potentially hijack a computer in a matter of seconds. It achieves this by spoofing a keyboard and mouse, typing controlled commands, moving the mouse pointer around, and manipulating mouse clicks.

USBdriveby can be made cheaply and circumvent security systems to launch permanent attacks even after the device has been removed. This includes opening a permanent backdoor, disabling a firewall and controlling the flow of network traffic.

Evilduino is a hack tool that uses Arduino microcontrollers and mimics a mouse or keyboard to perform cursor movements on the host device in accordance with a preloaded script. The tool can be fashioned from old electronic components at a low cost, yet write and run powerful scripts within seconds.

Here are just some of the malicious actions it can perform:

Open a command prompt with admin privilege
Enable a remote desktop and add a firewall policy to allow remote desktop protocol (RDP) connection
Create a new account and give it admin privilege
Change the DNS entry

Evilduino can exploit the target device in numerous ways, including disabling the firewall, finding and uploading files, starting a Wi-Fi access point, and sharing C:\ drive.

Unintended USB channels

TURNIPSCHOOL

Default Gateway Override

Read It Twice (RIT) attack based on USB mass storage

Unintended USB channels such as speakers are also open to exploitation. A proof of concept hardware Trojan horse device can use unintended USB channels to create two-way communications with the targeted network endpoint, in an attempt to encroach the confidentiality and privacy of data residing on the endpoint.

TURNIPSCHOOL is a hardware implant is concealed within a USB cable. It provides short range RF communication capability to software running on the host computer. A brainchild of the NSA, the prototype was presented at Shmoocon 2015.

This is a type of attack where the microcontroller is used to spoof a USB ethernet adapter to override DHCP settings and hijack local traffic. Symantec notes that using USB devices for software installation poses a security risk. The company offers USB Device Control service that prevents a USB thumb drive from being inserted into a computer, reducing the risk of malicious code injection.

This attack observes and alters file access from the user device. A RIT attack can derive from the observation that software installation and firmware upgrade code on embedded devices assume that files on an attached mass storage device will remain unchanged during installation. This attack circumvents the signature check and/or file content inspection as explained here.

Attacks on wireless USB dongles, refers to a category of attacks that first came under the spotlight after the release of KeySweeper. Camouflaging as a USB wall charger, the sniffing device observes, decrypts, logs and transmits the input typed into a Microsoft wireless keyboard.

KeySweeper can send SMS alerts when certain keystrokes are typed, such as ‘www.bank.com’. When removed from AC power, it appears to shut off but in fact continues operating covertly on an internal battery that automatically recharges upon reconnecting to AC power. Please refer to this page for detailed information on KeySweeper.

Also belonging to this category is MouseJack, a class of vulnerabilities affecting wireless, non-Bluetooth mice and keyboards. A radio transceiver, which is often a small USB dongle, is used to connect these peripherals to the host computer. MouseJack radio devices are low-cost and transmit signals over air to control the target device from a distance of 100m away. In a regular scenario, mouse movements are sent unencrypted while keystrokes are encrypted. MouseJack leverages the compromised receiver dongle and its associated software to enable unencrypted keystrokes transmitted by the attacker to make their way to the computer’s operating system, to appear as if the victim had typed them.

MouseJacking can exploit personal and company systems, such as identity theft or the exfiltration of employee user credentials respectively.

USB peripheral firmware attacks

Bad/Modified firmware can make the USB drive emulate any component to take control of the target machine.

Smartphone-based HID attacks: In a HID attack, the attacker takes a programmable embedded development platform such as Teensy and an associated software package to create a USB device. When this device is plugged into a computer, it will execute a pre-configured set of keystrokes to dump malicious payload in the system.

Smartphone-based HID attacks are facilitated by gadget drivers that have been custom designed to overwrite how operating systems interact with USB devices. For example, Kali NetHunter is a mobile distribution platform that compromises systems via USB when installed and run on an Android mobile phone. The tool can spoof a keyboard, send commands to open an admin shell, and even facilitate BadUSB style attacks.

For detailed information on this type of exploitation, please refer to this research paper.

Boot sector virus: A boot sector virus is a type of malware that embeds its starting code in the boot sector of a storage device. The virus moves into the system memory when the computer reads and executes the program in the boot sector. Besides taking over basic computer operations, the virus can spread to floppy and network drives.

Boot sector viruses are most commonly spread via physical media such as an infected USB drive. If the device is a USB flash drive, the Volume Boot Records (VBR) will be involved; if the device is a hard disk, then it will be the Master Boot Records (MBR).

The infected USB drive will infect a machine before it boots. The USB drive will transfer the infected code when its Volume Boot Record (VBR) containing the boot code is read, and it will then substitute (replace or modify) the existing boot code.

DNS override to hijack traffic from computer: DNS override allows you to choose your preferred DNS servers and use them with Wi-Fi and cellular networks. In this type of attack, hackers modify the USB flash drive’s firmware to spoof an ethernet adapter, change DNS details of the target machine’s WiFi connection, and send DNS queries to the USB-supplied server to intercept and hijack internet traffic.

If the keyboard is emulated, infection begins and the malware intercepts user password to gain root privileges. Keyboard emulation can also be used by a virus-infected smartphone to hack into the USB-connected computer. Other attack possibilities include:

Hiding files rather than deleting them
Adding viruses to files added to storage
Spoofing a USB display to access security information such as Captchas

Please refer to this document for more details.

Attacks via the USB port	Hidden Partition Patch	Password Protection Bypass Patch	iSeeYou	Virtual Machine Breakout	Keyboard Emulation
Attackers conceal and transmit malware through USB phone chargers	USB flash drivers can be reprogrammed to behave like a normal drive, creating an unformattable hidden partition, to allow data infiltration without detection	A USB flash drive’s firmware is modified slightly to allow attackers to circumvent password-protected USB flash drives	A proof-of-concept program that reprograms the firmware of a class of Apple internal iSight webcams used in some versions of iMac desktops and MacBook laptops, to capture video with the LED disabled. Please read this John Hopkins whitepaper for more information on iSeeYou	An exploit where the attacker runs code on a virtual machine (VM) that allows an operating system running within it to break out and interact with the hypervisor. Researchers have shown how USB firmware can be used to break out of VM environments. Such exploits can give attackers access to the host operating system and all VMs running on that host	Modified USB firmware can inject keyboard strokes to steal passwords

Attacks on unprogrammed USB devices

USB backdoor into air-gapped hosts: Air-gapping physically isolates a computer from the internet. Air gaps protect internet-connected computers against external hacking. However, Stuxnet and Fanny malware showed that air gaps can be breached by leveraging vulnerabilities in the removable media used to transfer files on air-gapped computers.

Hiding data on USB mass storage devices: A USB flash drive can serve as a ‘vessel’ for concealing malware, such as through dimmer, transparent-looking hidden files.

AutoRun Exploits, where some PCs auto-execute predetermined files from a USB device’s storage. AutoRun-style attacks can be executed against weakly secured Linux PCs.

Cold Bot Attacks, where attackers perform a memory dump of a computer’s RAM on a USB flash drive and extract leftover data from RAM by booting from a USB device.

Device Firmware Upgrade (DFU), where attackers use the Device Firmware Upgrade mode – which allows devices to be restored to any state – to update the original firmware to a malicious version.

USBee attack, where the USB connector’s data bus emits electromagnetic emissions that can be used for data exfiltration.

Electrical attacks

USB Killer, a device with a few high voltage caps, a DC-to-DC converter and a USB connector, can dump -220V directly into the USB signal lines to fry laptops.

Real life examples of USB attacks

There have been instances where USB drives were used for malware injection or employed accidentally, resulting in infection, equipment shutdown and other business disruptions.

Mariposa botnet: Discovered in 2008, Mariposa is a botnet involved in denial of service and cyberscamming attacks. The initial vector triggering the attack may have been a USB drive shared at an industry conference. An infected USB drive used by a single laptop at the conference managed to compromise multiple business systems, and the botnet included a total of 12.7 million unique IP addresses.

Ban on USB drives by U.S. Department of Defense: In 2008, the United States Computer Emergency Readiness Team (US-CERT) issued a warning about a malicious code being spread via USB drives. This led to a temporary ban on USB drives and other removable storage devices by the U.S. Department of Defense.

Operation Copperfield: An employee used a USB drive to download a movie on a system in the Middle East. He inadvertently passed a piece of malware called Copperfield that possessed capabilities such as remotely controlling an ICS workstation, leaking data and scanning the network. This potent malware could potentially run any command on the machine, upload any file from the machine to the attacker’s server, and infect a USB drive to spread the infection to other devices.

What are manufacturers doing about juice jacking?

Storage device vulnerabilities have been around for long. Manufacturers have attempted to build devices without reprogrammable firmware. However, in the absence of proactive steps by the manufacturing industry, and in situations where another component rather than the firmware is modified to carry out the attack, prevention comes down to individual behaviour.

Older phones made data accessible when you plugged in a cable; current smartphones require permission for file sharing. The feature asking whether you trust the computer or want to enable file transfer over the connection can go a long way in avoiding juice jacking.

That being said, cyber attacks are become increasingly sophisticated. There is the possibility of attackers exploiting an unknown vulnerability in your phone. Often as it happens, it is only after the fact that manufacturers spring into action to fix the vulnerability. For example, Apple added the USB Restricted Mode to the iPhone and iPad only a year ago to prevent attacks via password-cracking tools connected to the Lightning data port.

The risks are exacerbated in Android devices for the simple reason that most Android phones run outdated operating systems. If you fail to run updates that have patched over weaknesses, your phone may be a ‘better’ target for a USB port attack than an updated phone that is more difficult to crack by juice jackers.

Precautionary measures:

Use a USB charge-only adapter. You can buy a decent quality adapter online for less than $10 . One type where the data pins are disconnected in the dongle is known as a ‘USB condom’.
Android users can consider charge-only cables that work like a dongle; as the data pins in the cable are shorted, a data connection over the cable is not possible.
Plug your phone’s charger directly into the AC power outlet as this eliminates the risk of data connection even if network traffic is transmitted over the electrical wiring.
It is worth investing in a portable battery that will allow you to charge your phone and smart devices on-the-go without the need for a power outlet. If you come across an AC outlet, you can plug your battery into the outlet. In fact, you can charge both your phone and battery at the same time.

Detecting malware on your device:

Although many juice jacking attacks involve covert deployment and quiet behind-the-scenes attacks that are hard to detect until damage is done, any unusual behaviour should sound off warning bells and prompt exploration.

In general, here are some signs indicating that your device may be infected with malware:

A surge in monthly data usage: Sudden spikes in data without any changes in data usage patterns from your side need investigation.
Battery draining quickly: Juice jackers may have infected your device with battery-sucking viruses. The drain will occur almost immediately after infection, so you should be able to spot this one early.
Possible identity theft: If the attacker has managed to steal your personal information and impersonated you for financial gains, you may see withdrawals from your bank account that you cannot explain, see unfamiliar charges or accounts on your credit report, or not get your usual bills.
Unwanted apps: Android phones and jailbroken iPhones, when infected with Trojan malware, will automatically download more malicious apps without your knowledge.