Juice-Jacking

image of a cell phone being plugged in
Computing
Reading Time: 4 minutes

You’ve just made it through TSA airport security and are headed to your gate. You notice that your smartphone needs charging so you can binge-watch all those movies on your long flight. But as you search for your phone charger cord suddenly panic sets in! You realize that you left it at home. And you’re not about to spend $20 at one of those airport stores for a cheap phone charger cord that you can buy online for $7. But the last thing you want to do is spend the entire time on the flight reading an in-flight magazine while you listen to the person sitting next to you talk for three hours about swimming with the dolphins on their latest vacation.

What can you do?

You could hunt for two lemons and some galvanized and steel nails to build your own phone charger (yes, you really can). But just imagine what TSA would think when they see you building something like that.

But look! There’s one of those free quick-charge cell phone charging stations over there. You rush over and see just the cable you need dangling free. It’s just inviting you to plug in your phone to charge it. Problem solved! You smile to yourself that soon you’ll be all charged up and ready to go.

What could possibly go wrong?

The answer is “juice-jacking.”

In a recent interview with Forbes Caleb Barlow, Vice President of X-Force Threat Intelligence at IBM Security, warned that their research is showing that a growing number of nation-state cybercriminals are taking to airports and training their sights on travelers. In fact, the transportation industry is now the second-most attacked industry, up from tenth place in 2017. Why? It’s because travelers carry a “goldmine of data” (passports, payment information, and detailed travel itineraries to name a few) that threat actors want to get their hands on.

Barlow also raised a warning about those free quick-charge cell phone charging stations that are common in airports. These same cybercriminals could modify the USB connections of these charging stations. How? On a bigger scale they could infiltrate the supply chain as these devices are being built and insert their malware (that has happened before). Or they could just insert a tiny device between the end of the legitimate cable and the connection for a smartphone (another common trick). However they do it, the attackers could then exfiltrate (download data from your phone like contact lists, photos, text messages, emails, corporate documents that you have downloaded, etc.) or infiltrate (upload and install malware onto your phone) your smartphone.

Barlow puts it this way: “Plugging into a public USB port is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth. You have no idea where that thing has been” (and doesn’t that leave you with a mental picture that you would soon like to forget!).

In the security world this is called juice-jacking.

Here’s the technical backstory. At one time there were dedicated charging ports on our smartphones that required us to plug in a special phone charger that connected to a wall electrical power outlet. Those days are long gone. Today smartphones have USB ports that double as data ports and charging ports. By plugging your phone into that airport charging stations you may not only get electrical current to your phone but also unwanted malware coming in or your personal data going out.

Some Devices That Can Help

There are small devices that look like a USB flash drive that you can insert between a portable device and the charging port. These devices block the USB data pin connections so that only power can go to the device. They have names like the Juice-Jack Defenders and SyncStop and usually cost between $7 to $12. They are commonly used to help prevent an infected USB flash drive from infecting a computer (or vice versa). However, these devices have “full size” USB connectors (USB-A) and not the Mini-USB or Micro-USB connections that are found on smartphones. Thus, they wouldn’t work for protecting your smartphone from an infected cell phone charging station.

There are a couple of options. You could purchase a cable that connects to your smartphone on one end and to a wall power outlet on the other end so that you could charge your smartphone directly from the wall outlet. Unfortunately, an available wall power outlet is sometimes hard to find at a busy airport.

Perhaps the best solution is to purchase a portable power bank, which is essentially a battery that you charge and then carry with you to charge a smartphone. You will probably want a 2.4 amp / 12 watt / 15k mAh device. This can charge a single smartphone quickly and up to five times before the power bank itself must be recharged.

Whichever of these options you decide upon you might consider just leaving it with your luggage in the closet. That way you won’t forget it the next time you leave home.

But the question comes to mind of how serious is this risk? Well, the risk is certainly there, albeit fairly small for now. But as attacks against travelers become more frequent we may see more of these attacks occurring, so protecting ourselves is certainly not a bad idea.

(And thanks to Danielle Klahr, Cengage Product Specialist, for bringing this to my attention)

 

IT, Networking and Cyber Security Instructors—take a deep dive into the Live Virtual Machine Labs in MindTap by watching the recording of our recent webinar: Just in Time Training for Live Virtual Machine Labs.