The FBI’s Denver office is warning consumers about using free public charging stations, saying bad actors can use USB ports at juice stops to introduce malware and surveillance software onto devices.
“Take your charger and USB cord and use an electrical outlet instead,” the agency recommended in a recent tweet.
“Juice jacking” has been around for a decade, though no one knows how widespread the practice has become.
“There’s been a lot of talk about it publicly, but not a lot has caught on publicly,” said Brian Marcus, CEO of Ariz Security, a security research and education company in Wilmington, Va. Dale Marcus, and partner Robert Rowley Said. Juice Jacking was performed for the first time in 2012.
“Juice jacking chargers are like ATM skimmers,” Marcus told TechNewsWorld. “You hear a lot about them but don’t necessarily see them.”
Avoid using free charging stations at airports, hotels or shopping centers. Bad actors have found ways to use public USB ports to introduce malware and surveillance software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
He explained that anyone who wanted to tamper with a legitimate Power charging station could convert the station’s cable into a doctored cable, which contained a chip that could install a remote access trojan, or backdoor, on a phone. . Then the phone can be attacked at any time over the Internet.
“This is particularly prevalent with Android phones running older versions of the operating system,” Marcus said. “That’s why it’s important for users to keep their devices up to date.”
There seems to be conflicting opinion in the security community about the danger of juice jacking to consumers.
“It’s not very common in general because using a remote charging feature is not something that people do very often,” said Bud Broomhead, CEO of Viaku, a developer of cyber and physical security software solutions in Mountain View, California.
“However, if someone is a user of a charging system outside their control, the warning issued by the FBI should cause them to change their behavior, as cases are on the rise,” he told TechNewsWorld.
Aviram Janik, president of Epona Security, a source code security company in Roseville, California, said that juice jacking is “extremely common”.
“We don’t have numbers because the devices are in places where people don’t stay for long periods of time, so it’s easy to put a bad device in and then take it out,” he told TechNewsWorld.
“This has been done for years, and the presence of malware-infected charging stations is almost routine,” he said.
“As charging becomes more and more sophisticated — meaning, data travels over the same cable as the charge — it will get worse,” he said. “When the target is of greater value — for example, an EV versus a mobile phone — the stakes will be higher.”
Jenick said another future development would be wireless charging, which would allow attackers to carry out an attack without ever seeing the physical device used for the breach.
two-way comm problem
Juice jacking is more likely to happen often by persons of interest — politicians or intelligence agency employees — said Andrew Barratt, managing head for solutions and investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.
“For a juice jacking attack to be effective, it has to deliver a very sophisticated payload that can bypass common phone security measures,” he told TechNewsWorld.
“Frankly,” he continued, “I’d be more concerned about using the outlet so much that they would damage my cord or the socket on the phone.”
Juice jacking uses USB technology for malicious purposes. “The problem is that USB ports allow two-way communication not only for charging power but also for data transmission. How can your USB device send pictures and other data when you plug it in,” explained Roger Grimes, a defense publicist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“USB ports were never designed to prevent advanced malicious commands being sent over the data channel,” he told TechNewsWorld. “USB ports have had many security improvements over the years, but there are still additional avenues of attack, and most USB-enabled devices allow charging ports to be declared an older version of the USB port standard, so few new security features are now available.” are not available.”
Will EVs Be Next?
JT Keating, senior vice president of strategic initiatives at Zimperium, a mobile security solutions provider in Dallas, cautioned consumers to be wary of free solutions billing themselves as “public” services.
“When hackers trick people into using their fake Wi-Fi networks and power stations, they can compromise devices, install malware and spyware, and steal data,” he told TechNewsWorld .
“This trend will continue and grow as more and more people connect to EV charging stations for their electric vehicles,” he continued. “By compromising an EV charging station, attackers can wreak havoc by stealing payment information or performing a variation of ransomware by disabling the stations and preventing charging.”
Coalfire’s Barratt said EV charging stations have been a concern for some time, but there has been a problem with fee evasion or free use of stations.
“Longer term,” he said, “I suspect there is a concern that we will continue to see more attacks against these chargers as the world transitions to EV chargers.”
“When we had public phones, there were attacks against them,” he continued. “Attacks regularly occur against ATMs and gas pumps. Anything where value is dispensable in an untraceable environment has potential for a cyber-enabled thief to take advantage of.
Avoid becoming a victim of juice jacking
Ever since Marcus and Rowley introduced the world to juice jacking, conditions have improved for attackers. For example, wireless connectivity has been added to the charging port.
“When we first did this, we had a whole laptop hidden in the charging station, and it worked great,” Marcus said. “The amount of compute power to do the same thing is now much less.”
The FBI isn’t the only alphabetic agency to sound the alarm about juice jacking. The FCC has warned consumers about the practice in the past as well. To avoid becoming a victim of juice jackers, it recommends:
- Avoid using USB charging stations. Use an AC power outlet instead.
- When traveling, bring your own AC, car charger and USB cable.
- Carry a portable charger or external battery.
- Consider carrying a charging-only cable, which prevents sending or receiving data while charging, from a trusted supplier.