Juice Jacking – meh! - Security Boulevard

Juice Jacking – meh!

Lately, I have been seeing a number of posts and articles warning us all not to use publicly available USB charging points due to the risk of “juice jacking.” Since it is the holiday season and many people will be traveling, here’s my take on this not so new, not so dangerous threat.

Juice jacking is a an attack in which plugging your phone or tablet into a booby trapped USB charger allows an attacker tp take control of your device to steal information or install malware. These attacks have been demonstrated at security conferences as far back as 2011 and they do work.

However, I am finding it hard to get my knickers in a knot over this threat. There have been exactly zero actual juice jacking attacks reported in the wild so far and most of the vulnerabilities that led to these (admittedly cool and scary) demos have long been patched.

This is not to say that plugging your phone into some rando USB jack is risk free – there are some issues which could allow a malicious person to monitor the video on your device while you are plugged in. Someone could have put a hardware implant in place to try and act like a keyboard on your device and do bad things. However, the actual real world risk of this is what I would classify as pretty darn low when it comes to the airport, airplane, or most other places where you will encounter such facilities.

This being said, if you are in an interesting/sensitive location such as a security conference or a hotel where an event like a defense or aerospace conference is taking place, maybe someone WOULD take the time and effort to mess with the USB chargers. (Cough) China (Cough) . I might also hesitate to plug my phone into a free USB charger located in, say, China, Russia, Iran, or North Korea. Not that I get to North Korea much these days.

It is also worth considering that a public USB charger has a hard life and could get damaged. In this case, there is a small, but non zero chance that your device could be damaged by a power surge.

My solution? Plug your trusty power bank into the USB port and then plug your device into the power bank. From my non scientific testing, it appears that the power bank should act as a firewall between your device and the USB charger since there is no data connection. On my Mac, plugging my iPhone in this way makes it invisible to Finder and Music – this is the extent of my testing, so take it with a grain of salt if you are really worried.

For maximum protection from this threat, you can purchase purpose built “data blockers” which plug in to a USB cable to interrupt the data lines on your cable and charge away. They are pretty cheap and if they make you feel better, great.

Sort of like a USB condom…

In short, my advice to the peripatetic mobile user is to keep your power bank charged and use that instead of a public charger – it is much easier and is less likely to damage your device. Next choice would be an AC adapter of your own. But if your battery is bottoming out (and you are not in Pyongyang airport), I think that the odds are good enough to get that device charged.

*** This is a Security Bloggers Network syndicated blog from Al Berg's Paranoid Prose authored by Al Berg. Read the original post at: https://paranoidprose.blog/2019/12/06/juice-jacking-meh/