Mobile device security is often a kind of black box: problems with software come up and then the company that makes your operating system or manufactures your phone send updates to fix the problems (when they want to). While software security is super important, a different kind of threat is lurking out in the world: when an attacker sets up an illegitimate power charger in public or shared places for the sake of having access to your device. Today, we’ll take a look juice jacking and the threat that charging your phone in public could pose.
A higher demand for power availability
Typically, when someone compromises your desktop or mobile device, they do it remotely (through your network connection) and not physically (by sitting down at your computer). Being connected to “the internet”—in quotes here, since the internet isn’t really a thing, but rather a way of connecting to various computers throughout the world, including yours and mine—has its own inherent risk: remote attacks.
Your phone, as a network connect and wireless communicating device, is also at risk of these types of compromise. But as a mobile device, its portability introduces different security concerns related to moving it from place to place, charging the battery, and what it’s used for that you might not use a desktop for. Because of that portability, you might need to use a public or shared network from time to time when you’re out in public; when you do, you need the added security layer of a privacy-oriented VPN to hide your traffic from the network itself.
You could avoid using networks that are public and rely instead on your 5G connection exclusively, but what if your device is consuming more battery after some use and you need to charge it on the go? Since your device is often used as an authenticator today, it qualifies as something that is always supposed to be in your possession. This additional security makes a lot of sense, but it means that our devices need to be accessible (on your person) and usable (charged) all the time. Since everyone has a device that needs to be charged, chargers in public have increased—many of which are intended for you to plug in your own USB cable to a port in a wall.
Wired hacks still require a user error
This change is a big win for a certain kind of attacker: what if you could just plug a cable into the device and access it that way? That’s exactly what some bad actors do with charging outlets in public places: airports, coffee shops, hotels, cars… anywhere that someone would possibly need to recharge their phone while out-and-about.
When a modern mobile device (both Android and iOS) is plugged into a device that wants to access the file system, there are warnings that pop up and settings that govern how a device on the other end of the cable can connect. On Android, when you plug into a device that can copy files, it will have a notification to click to configure File Transferring, for example. It’s a pretty good way to stop juice jacking—since the default is only to allow charging—but if you were to simply slip when the dialog comes up and click through the notifications, the device you’re plugged into will now have access to your files when your screen is unlocked.
While it’s a big problem to have an attacker access or copy your files, it’s a bigger problem for them to load malware onto your device. This can grant them remote access to your device after you’ve disconnected the power cable and have moved on to the next leg of your travels. This type of persistent threat is devastating, since it allows an attacker to spy on your credentials, steal financial information, or encrypt and hold your data hostage.
A few simple solutions
If you’re concerned about this type of attack, a specialized, physical device called a “USB blocker” can be used, which makes sure that the port is only being used for power transfer and not for data transfer. These devices are inexpensive and help give you peace of mind if you need to plug your phone into an outlet on an Uber ride or a flight, in a coffee shop, etc. Just make sure that you trust the company that has manufactured it!
What’s in question here isn’t available power sources, but rather, the USB connector in a wall or a car. If you plug in your own AC adapter, it should eliminate the risk of charging in public. Another solution is to buy charging cables that are specifically only capable of transmitting power. You can test whether a cable is only for charging by plugging your phone into your desktop or laptop: if it doesn’t give you the option to turn on file transfers, it’s most likely a power-only cable. That isn’t exactly proof, though, and it’d be better to use the USB blocker if you’re concerned.
Notice, though, that avoiding public charging stations isn’t as simple a solution, since we don’t always know how things will go from moment to moment. With juice jacking attacks, a little preparation for the unexpected goes a long way to keeping your devices secure.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team