The days are now shorter, and the holiday season is upon us. Many of us have travel booked to bring our family together and will soon be uncomfortably sitting in the halls of airline terminals, desperate to escape the monotony of an international waiting room we will sit transfixed to our mobile devices. Breaking our mobile-mindfulness-zen like state, an alert graces the screen: 15% battery life remaining.
Looking up from our internet stupor we search the airport terminal and see a beacon of hope, a mobile charging station. We gather out belongings and join the masses huddled around the ominous obelisk providing their device’s with a USB based IV.
The above scenario plays out across the world at airports and travel hubs, but it harbors a risk most do not think about, juice jacking. This term was first coined and the attack first showcased back in 2011, it has a history of sporadic journalistic coverage that has been rarely accurate. I'm writing this article to help you understand the history and origins of juice jacking, and what risks should be on your mind before you plug in to charge your devices into an unknown USB port.
A quick introduction may help solidify the author’s authority and intention here. I am one of the original researchers who built the first malicious mobile charging kiosk and released it along with the Wall of Sheep back in 2011, as well as helped discover and release the video-jacking attack in 2016. I’ve kept a close eye on juice jacking over the years, for personal (not financial) interest only, and am always glad to spread knowledge or discredit some FUD around this attack.
So let’s get into the origin story:
It was a hot July 4th, in Southern California, hackers and friends were gathering for a celebration of the US holiday. Over drinks and our depleted phone batteries we discussed the risks of using the convenient USB port on the host’s computer to charge our devices. In short order, this discussion lead to what became a malicious charging kiosk released at the Wall of Sheep during Defcon just a month later.
This whole idea would not have existed, had it not been for a dead phone battery.
Our plan was simple, allow devices to charge and do no harm, but use the kiosk to act as a public service announcement on the dangers. We ultimately decided that the kiosk when no devices were plugged in, would show a screen saying “Free Charge!”. Then, when we detected a USB device plugged in to the kiosk, it would swap that “Free Charge!” message to a red error warning page informing the user of the kiosk of the risks.
The free charge kiosk beat out another initial idea that barely made past the PoC phase: A destructive device scenario where we would pipe 110v AC directly to a sacrificial phone. Personally I’m glad we didn’t go down that route.
A month later, we held our breath as we placed the finished kiosk in of all places the Wall of Sheep! A venue in Def Con that is named after exposing people who do not practice basic security hygiene (originally placing the account names on a wall (hence the “wall of” part) that people inadvertently logged in to services over insecure connections; but that history is another story in itself.) We were not sure that anyone would use such a shoddy looking charging kiosk, placed in a room that's purpose is to expose insecure behaviors.
That uncertainty washed away almost immediately. Over the course of DefCon 2011, hundreds of people flocked to the free charging kiosk. Obviously, the public, even those who attend “hacker" conferences, had no idea or concern about the risks associated with charging mobile devices at random kiosks.
Risks back in 2011 were much higher than they are today in 2019. Most phones (iPhone and Android alike) allowed full access to the phone’s internal storage over USB, with no authorization. Attacks, would have included data exfiltration and a joke attack I wrote that uploaded images from /r/misleadingthumbnails onto the devices. Face it, it’s more fun to play a joke on someone than data exfiltration.
That year, mobile phone providers patched the above threat and began notifying users before allowing devices to be mounted as a USB drive.
That following year, 2012, security researcher Kyle Osborn formulated an attack that capitalized on USB OTG (on the go) features in phones. Kyle created a Proof of Concept cable (called the Kos Cable) which is used in part with tools installable on any android phone that would allow one phone to target and attack a second phone over USB. Kyle called this research, which had valid purpose more than just attacks: P2P-ADB (phone to phone - android debug bridge) and was featured on an episode of Hak5.
February 2013, Android releases version 4.2.2, which includes a whitelist for USB debug bridge. Requiring the user to approve new computers before they’re allowed to access the debug bridge.
August 2013, researchers from the Georgia Institute of Technology presented at BlackHat Vegas their findings which they called “MacTans”. They combined an unreleased exploit against iPhone devices, with a micro computer which they fit inside of a USB wall-wort (or power brick) to perform the attack.
Apple released a patch to address the vulnerability disclosed in this Black Hat talk, within short order.
On the fifth year anniversary of Juice Jacking, the researchers at the Wall of Sheep release a “Video Jacking” demonstration booth. Utilizing a feature that mirrors the phone’s screen over HDMI-USB (Slimport, MHL or iPhone’s lightning cables) the shepherds at the Wall of Sheep showed they could see (and record) your screen while you are charging. Combined with the visual feedback on what is being clicked for lock screens and keyboards, this attack can be used to steal passwords or lock screen codes you type while your device is connected to their video jacking booth.
Video jacking, while a lower risk than the original 2011 full storage access, has never really been fully addressed by many vendors. This USB to HDMI screen mirroring is considered a feature. To this day, many phones will mirror their screen over HDMI-USB, without user notification or intervention.
In 2018, researchers at the Florida Institute for Cyber Research presented at the 27th USENIX symposium on security on multiple vulnerabilities they uncovered which utilized a set of old modem commands which happened to be accessible over the USB stack. With no user intervention their PoC showed they are able to target a phone over USB and unlock or take full control of the device. Since modem commands start with AT as the first two characters they dubbed their attack ATtention Spanned, and created a website to document these loosely documented modem commands at atcommands.org
Vendors affected by exposing modem (AT) commands over USB all quickly addressed this matter after receiving notification from the above researchers.
Earlier this year, 2019 the final compaction in Juice Jacking was achieved by a researcher who goes by MG. MG released their O.MG cable, which hides a micro chip inside of the USB-C cable itself. The attacker can remotely activate the O.MG cable and treat it like a USB-HID (human interface device, or mouse+keyboard) on any system when the cable is plugged in.
Now we arrive at today, you may find yourself bored and low on power. I implore you to think twice before charging your device directly at a USB wall jack of unknown origins, however, honestly speaking, short of new 0days being found or your phone being terribly out of date, the highest risk is that the attackers could record your screen and act like a USB HID (keyboard and mouse) and run commands once you unlock your phone, perhaps in a rare likelihood an anarchist could even fry your phone.
So, ask yourself if the charge is worth the risk and remember: there are no confirmed reported cases of this happening in the wild. The only place I know where you can find a malicious charging kiosk, would be at the Wall of Sheep.
Risk analysis aside. The holidays are a time to be joyful and happy, spending time with friends and family, catching up and actually talking to each other. The travel part can be stressful enough, so remember to pack your own power supply (or backup battery). If you find you forgot them in your checked bag, or left them at home ... then let your phone's battery hit 0% and spend your time with the loved ones you’re supposed to be spending time with instead.