Hacked While Using a Public Charger?! - Juice Jacking Explained
I never thought it would be 2023 and I’d be making a video about juice jacking. I thought this was pretty common information in terms of security, but a couple of weeks ago the FBI and the FCC posted tweets warning people about it again, over 10 years from the first time I’d heard of it.
Back in 2011 juice jacking made headlines because of a DEFCON booth that was set up as a free charging kiosk - kinda like those ones you see at theme parks or airports - where you can plug in your phone and get a battery boost. At that time 360 attendees plugged their devices into this charging station, which was built by a couple of security researchers who run one of the rooms at DEFCON called Wall Of Sheep - which is made to educate folks about how dangerous public wifi can be.
In this demo, the researchers built in a display that would switch from “Free charging” to a red warning that said “hey don’t plug your device into public kiosks because info can be stolen from your phone without your consent.”
Why is that? Anything you plug your phone into could be used not only to charge it with electrical power, but could also include hardware that can transfer data. You see this in practice when you plug a USB external hard drive or your smartphone into your PC with a USB cable - your PC can see the data on your phone or your hard drive and you can transfer that data over to your PC.
But that capability could also be built into a charging kiosk without you knowing. So when you plug your phone into a free charging kiosk or USB wall port, they could be accessing data too.
Of course, DEFCON is full of infosec folks, so at the time many weren’t worried because they brought burner devices, so they didn’t care - but most people traveling through airports and needing a charged device are not infosec nerds like us, they are parents, stressed out employees traveling for work, families, grandparents, kids traveling for sports events, whatever. And they may not know how dangerous these kiosks can actually be.
At the time, the researchers discovered that USB transfer could switch on even if disabled, and if you power your devices off completely then charge, it wouldn’t expose data. Things have changed since then. OS makers like Apple and Google will now prompt you on screen if you plug a phone into a power source that is also asking to access data. Now, you’ll see this prompt and it’ll ask if you want to trust the connected power source before data is transferred. But also, some phones will power on when they hit a minimum threshold requirement of battery so you can use your phone while it’s charging.
So we still have reason to be concerned, and even more so because of today’s technology. Things have definitely changed from a decade ago, so let’s revisit juice jacking.
If you like this video, a subscribe would me a lot to me. I use subscriptions as an indicator that I am actively building an audience here who is interested in these topics, and it lets me know you find value in this kind of content.
And a huge thank you to DeleteMe for sponsoring this video. Do you know how much of your personal information is out there on the internet? Probably more than you think. And it's not just your name and address. It's your phone number, your email address, your social media profiles, your past addresses, your spouse, I could go on.
All of this information can be used to steal your identity, commit fraud, or even stalk you (and hey! that actually happened to me back in the day and was the reason why I signed up for DeleteMe). That's why it's so important to take steps to protect your personal information.
I’ve done videos about how to delete yourself off the internet, and one ways I recommend protecting personal information is to use DeleteMe. DeleteMe is a service that helps you remove your personal information from the internet. They do this by sending requests to websites and data brokers to remove your information. They have real life human beings working to remove your data because often times, data brokers will require some kind of verification from a person before they remove it - it’s not as easy as just filling out a form on each data broker site - some of them require a phone call, or an email, and a lot of them hide the steps you have to take because they’re making money off your data existing on their site.
Use the code SNUBS at checkout - that’s S N U B S - for 20% off any of the consumer plans. or just click the link below or hit up JoinDeleteMe.com/MorseCode to sign up today and that code will automatically apply at checkout! Sign up now and safeguard your personal information today!
Huge thank you to DeleteMe for sponsoring this episode.
There are two untrusted hardware components you need to be aware of.
The first is the power source, like the kiosk or USB wall port. As demoed at DEFCON in 2011, these power sources could be used to steal data off of a phone. Similar to how ATM skimmers are set up, a free charging kiosk could look totally legitimate and not tampered with, but could be loaded with malware via a corrupt USB port to export data off your phone.
The second is the cable itself and the AC adapter. Disclaimer I work on the Hak5 channel making a show called ThreatWire and also host Hak5 from time to time, but now Hak5 sells this cable called the OMG Cable and it looks like this. It look completely normal like any other charging cable, almost identical to your regular lightning cable for iPhone or USB A or C for Android. But on the inside of this little cable is an even smaller chip that can let it run exploits on a connected device and transmit collected data via wifi to the attacker - which also means the attacker wouldn’t need to retrieve the cable after the attack. So if someone hands you a cable or if you see one plugged into a kiosk and think “sweet! Free charging cable”, it could be an OMG cable.
This means you can’t trust someone else’s cable.
While not necessarily a product on the market, I suspect the same could be done with an AC adapter - so I only use ones from reputable brands and retailers.
Cables do exist that differentiate between being data transfer cables and charging or JUST charging cables, and that’s usually listed in the specs when purchasing one. The difference is the teeny tiny little pins and lines that are built into the cable. There’s a couple of extra ones for data and if the cable doesn’t include these, or if they’re disconnected, then it’ll only charge your device. If you aren’t sure if your current cables are charge only - simply plug them into your phone and a known PC to see if your phone prompts you to trust the device. I stuck little tabs on my travel cables that I write on so I know if they’re charge only or include data transfer and I never plug my phone into an unknown charging station. I also only use my own AC adapter.
The weird thing is: no one knows why the FCC and FBI all of a sudden tweeted this warning, as there haven’t been any publicly available reports of juice jacking in the wild. We know it’s possible, we know the technology exists, and it’s been demoed at hacker conferences, but we’ve never seen one of these attacks happen in the real world with victims. Reports say the tweet was a PSA from the agencies and not really a new thing, just a reminder to watch out for these kind of attacks.
But nowadays, it is cheaper and less obvious, plus much more sophisticated, for an attacker to pull off one of these attacks.
The safest thing you can do is bring your own charging cable and your own travel battery or A/C wall wart and pray you find an open outlet or your flight has an outlet you can plug into. If you only have a cable, bring a cable that is CHARGE ONLY, not data, I do have a recommendation for this. Wireless chargers can also be used to transfer data, so even a wireless power station can’t be trusted.
It’s still a recommendation to power off your device while charging if you absolutely have to plug it into an unknown power source. But caveat - a lot of phones will power themselves back on as I mentioned earlier, and also… who wants to turn their phone off entirely while they are sitting in a boring airport? Most people wanna use their device while it’s charging, so I don’t really think that’s a reasonable expectation to set on users.
You may want to buy a USB data blocker. There are a couple of popular devices that are specifically made for this. One is the PortaPow data blocking cable. This one prevents data from being transferred while your phone is plugged in as it is only built with power lines. It doesn’t work with Qualcomm quick charge standards, but still charges your device.
You can also use these things that are dubbed USB condoms. These are small dongles that work like a defensive layer between the phone and the charging port, also preventing data transfer. PortaPow also makes these, and all of them are relatively inexpensive.
I don’t own any data blockers from PortaPow because I don’t need to depend on them. I always carry my own battery bank and charging cable, but if you don’t, you might wanna add one of these to your arsenal.
If you’re curious about my other security recommendations when traveling, see this video, or watch this one that youtube thinks you’ll enjoy.
Bye yall!
