KrebsOnSecurity obtained a pleasant bump in visitors this week because of tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a time period first coined right here in 2011 to explain a possible menace of knowledge theft when one plugs their cellular gadget right into a public charging kiosk. It stays unclear what might have prompted the alerts, however the excellent news is that there are some pretty basic items you are able to do to keep away from having to fret about juice jacking.
On April 6, 2023, the FBI’s Denver workplace issued a warning about juice jacking in a tweet.
“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver workplace warned. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
Five days later, the Federal Communications Commission (FCC) issued an identical warning. “Think twice before using public charging stations,” the FCC tweeted. “Hackers could be waiting to gain access to your personal information by installing malware and monitoring software to your devices. This scam is referred to as juice jacking.”
The FCC tweet additionally supplied a hyperlink to the company’s consciousness web page on juice jacking, which was initially revealed upfront of the Thanksgiving Holiday in 2019 however was up to date in 2021 after which once more shortly after the FBI’s tweet was picked up by the information media. The alerts had been so broadly and breathlessly coated within the press {that a} point out of juice jacking even made it into this week’s Late Late Show with James Corden.
The time period juice jacking crept into the collective paranoia of gadget geeks in the summertime of 2011, because of the headline for a narrative right here about researchers on the DEFCON hacker conference in Vegas who’d arrange a cellular charging station designed to teach the unwary to the fact that many cellular units linked to a pc would sync their knowledge by default.
Since then, Apple, Google and different cellular gadget makers have modified the best way their {hardware} and software program works in order that their units now not robotically sync knowledge when one plugs them into a pc with a USB charging cable. Instead, customers are offered with a immediate asking in the event that they want to belief a linked laptop earlier than any knowledge switch can happen.
On the opposite hand, the know-how wanted to conduct a sneaky juice jacking assault has turn into way more miniaturized, accessible and low cost. And there are actually a number of merchandise anybody should buy which are custom-built to allow juice jacking assaults.
Probably the most effective identified instance is the OMG cable, a $180 hacking gadget made for skilled penetration testers that appears kind of like an Apple or generic USB charging cable. But contained in the OMG cable is a tiny reminiscence chip and a Wi-Fi transmitter that creates a Wi-Fi hotspot, to which the attacker can remotely join utilizing a smartphone app and run instructions on the gadget.
The $180 “OMG cable.” Image: hak5.org.
Brian Markus is co-founder of Aries Security, and one of many researchers who initially showcased the menace from juice jacking on the 2011 DEFCON. Markus mentioned he isn’t conscious of any public accounts of juice jacking kiosks being discovered within the wild, and mentioned he’s not sure what prompted the current FBI alert.
But Markus mentioned juice jacking remains to be a threat as a result of it’s far simpler and cheaper today for would-be attackers to supply and construct the mandatory gear.
“Since then, the technology and components have become much smaller and very easy to build, which puts this in the hands of less sophisticated threat actors,” Markus mentioned. “Also, you can now buy all this stuff over the counter. I think the risk is possibly higher now than it was a decade ago, because a much larger population of people can now pull this off easily.”
How severely ought to we take the current FBI warning? An investigation by the myth-busting web site Snopes suggests the FBI tweet was only a public service announcement based mostly on a dated advisory. Snopes reached out to each the FBI and the FCC to request knowledge about how widespread the specter of juice jacking is in 2023.
“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later up to date in 2021, was up-to-date in order to make sure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they’d not seen any rise in cases of shopper complaints about juice-jacking.”
What are you able to do to keep away from juice jacking? Bring your personal gear. A basic rule of thumb in safety is that if an adversary has bodily entry to your gadget, you’ll be able to now not belief the safety or integrity of that gadget. This additionally goes for issues that plug into your units.
Juice jacking isn’t attainable if a tool is charged by way of a trusted AC adapter, battery backup gadget, or by a USB cable with solely energy wires and no knowledge wires current. If you lack this stuff in a bind and nonetheless want to make use of a public charging kiosk or random laptop, at the least energy your gadget off earlier than plugging it in.