Beware of Juice-Jacking
In this age of everything and everywhere digital, more and more public places are providing conveniences for your laptop and smartphone.
Airports, hotels, and some shopping malls now provide free charging kiosks to charge up your laptop or smartphone, provided you have a USB cord.
But they are just another way you can get jacked!
These publicly-available devices could be configured to read most of the data on your phone, and perhaps even upload malware.
What Is Juice-Jacking?
Juice-Jacking: The illegal downloading of data from a smartphone while it is recharging at a free charging kiosk at an airport or other location.
Juice-Jacking was identified by Black Hat in 2013 as the #1 threat for identity theft and malware for mobile device users.
Regardless of the kind of smartphone you have (Android, iPhone, Blackberry, etc.) there is 1 common feature they all have – the power supply and the data stream pass over the same cable. Whether you’re using the now standard USB miniB connection, or Apple’s proprietary cables, it’s the same: the cable used to recharge the battery in your phone is the same cable used to transfer and sync your data.
With data and power on the same cable, this offers a way for a malicious user to gain access to your phone during the charging process. This process, leveraging the USB data/power cable to illegitimately access the phone’s data and/or inject malicious code onto the device, is what is referred to as “juice-jacking”.
Being “juice-jacked” could be a simple invasion of privacy, where your phone pairs with a computer concealed within the charging kiosk, and private information such as photos, contact information are transferred to the malicious device. Or, it could be an injection of malicious code onto your device.
At the 2011 DefCon (a massive hacker conference held each year in Las Vegas), at least 360 attendees plugged in their smartphones to a charging kiosk built by the same guys who run the infamous Wall of Sheep (a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks). The charging kiosk was built to educate the attendees about the potential perils of juicing up at random public kiosks. To attract passerby’s, the kiosk was equipped with a variety of charging cables to fit most popular wireless devices. When no device was connected, the LCD screen on the kiosk displayed a blue image and “Free Cell Phone Charging Kiosk”. When a device was plugged in, the LCD screen changed to display a red warning sign reading:
You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
Brian Markus explained the motivation behind the experiment:
We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data. Anyone who had an inclination to, could put a system inside one of these kiosks that when someone connects their phone, can suck down all of the photos and data, or write malware to the device.”
One attendee was so shocked by the kiosk that he sent an email to everyone in his company stating they were now required to bring power cables and/or extra batteries on travel, and no longer allowed to use charging kiosks for smart devices in open public areas.
What’s The Safest Way to Charge?
The safest way to charge your device, in and out of the workplace/home, is to use the supplied power cord that plugs into a regular electrical outlet.
If you absolutely have to use a random charging kiosk, completely power off your device before you plug into the kiosk. However, this only help to prevent data transfer on a small number of devices.
What Does This Mean To Me?
In recent years, there have been many, much more malicious, malware and viruses released. Cyber attacks are on the rise. Estimates show that CyberCriminals release 3.5 new threats targeting small and medium businesses every second.
Small businesses are now the target of 31% of all cyber-attacks.
There are approximately 5 cyber attacks every second.
29% of small businesses have experienced a computer-based attack that affected their reputations, involved theft of business information, resulted in loss of customers, or experienced network and/or data centre downtime.
In 60% of cases of cyber attacks, attackers are able to compromise a business within minutes.
Businesses need to educate their employees, and block malicious attacks before mobile malware enters its system through infected devices. Businesses must ensure network layer Data Leakage Prevention (DLP) to prevent the outflow of user/corporate data.
23% of recipients still open phishing emails.
11% of recipients click on the attachments.
Businesses are still slow to install software patches.
An overwhelming majority of cyber attacks exploited known vulnerabilities, where the patch had been available for months prior to the breach!
68% of security breaches took months or years to discover.
69% of breaches were discovered by an external party.
You can’t stop CyberCriminals from targeting you.
But you can be prepared for their arrival, and have full shields up.