You wouldn’t trust a stranger, so why would you trust a strange outlet? This holiday season, there’s a new digital STD spreading around by USB and a cyber-security threat that steals your personally identifiable information from your devices
It’s the product of a habit by which we have all been guilty of potentially exposing ourselves to—using self-charging USB-charging stations. And it’s one where a legal remedy may not be a viable option—because at the end of the day, who are you going to sue?
“Juice Jacking,” is when criminals use public USB-charging stations to steal information of unsuspecting users that are stored on their phones and other electronic devices.
Coined by cyber-security expert, Brian Krebs back in 2011 at DEF CON, “juice jacking” was a proof of concept conducted at the event, whereby users plugged their phones into a free, public-USB charging station and got something more than just a charge—they saw the following message:
“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
For those of you who travel frequently, especially those attending January’s Consumer Electronic Show (CES) in Las Vegas, Nevada, this is definitely some advice you should pay attention to, as more and more charging stations are popping up in airports, shopping malls, coffee shops, and even tech conferences.
The city of Los Angeles County is one of the first cities to identify the threat, with its district attorney (DA) informing consumers through social media and an instructional video on its website.
How It Works
With each passing day, technology grows increasingly more advanced and complex. You’re either on it or you’re falling victim to it.
Juice Jacking occurs when a black hatter loads malware into one of the charging stations, or onto one of the charging cables, which ultimately infects your device. And if you are already thinking that your iPhone is immune to such an attack, you’re living in Y2K and need to get caught up 20-years.
Once your device is infected, the malware then executes a code, which forwards your information to the criminal(s), which presents a high risk of your personal identity and financial information being stolen and probably ending up somewhere on the dark web.
Like credit card skimmers that have been the hot topic of conversation this year surrounding ATMs and gas pumps, Juice Jacking operates in quite the same manner.
The malware has the potential to lock your phone or device, send private information, including your passwords, addresses, or even a full backup of the phone to criminals.
“It loads itself into the phone and can either monitor the phone in real time, sometimes download information from the phone, sometimes clone the phone completely and you don’t even have to be using it,” said Deputy District Attorney Luke Sisak.
How Does USB-Charging Work?
Most of us may depict a USB port to simply operate as a ‘power socket’ of sorts—this is wrong. It’s much more than a power socket, instead operating as a data hub where data and filed are being transferred back and forth between two systems.
A USB-connector has five pins—only one of those pins actually is required to charge the receiving end, while the other two are used for data transfers. The other three…ha, well use your imagination.
Unless you have changed your device’s default settings, the data transfer mode, according to Malwarebytes Labs, is disabled, allowing for power to supplied by the visible connection. In simpler terms, anytime you connect your device to a USB port to charge, data could be flowing at any moment.
Types of Juice Jacking
So, what kinds of ‘juice jacking’ attacks are spreading through the market?
- Data theft—while the device charges, your data is being drained, stolen, and/or mirrored and sent to another (receiving) device; and
- Malware installation—requiring only a physical connection, malware is immediately dropped onto the connected device the moment a connection is established, until detected and removed by the device’s user. This is much more common on Android and Windows-based operating systems.
What You Can Do to Prevent an Attack
Well, first, congratulate yourself on finding this article because self-education is always the first and most rewarding step. Always be prepared, because an attack will come, it’s just a matter of when.
The holiday season is extremely profitable for black-hatters and other cyber-criminals, because it’s an easy time to pray on the average consumer—it’s the one time during the year that bank accounts are being utilized the most, with credit card swipes happening hundreds of thousands of times per day.
So, this holiday season, here’s what you should be doing instead of plugging into one of those free-USB stations:
#1—If You Insist on Traveling, Buy a “USB Condom”
USB condoms, or USB adaptors allow for a power transfer (charge only), but do not connect the data transfer pins of the USB port. You can always attach these to your charging cable, so we don’t start spreading digital diseases to one another.
#2—If You Insist on Traveling, Buy a Portable Battery/Brick Charger
There’s nothing wrong with purchasing those portable battery charging packs, especially if you’re running around tech conferences and airports. So, don’t be cheap and spend the $150 to buy a decent, slim battery pack.
#3—God Forbid You Use an Actual Power Outlet
Yes, that requires you to carry an AC adapter and charger around with you—I know, a pain in the ass, but hey, safety should trump convenience.
Don’t play into my homage of convenience trumping privacy—despite its veracity.
#4—Finders Keepers: Left-Behind Charging Cables
You think you just scored a brand-new cable—but in reality, you may have just brought in a sexual STD.
Last year, Forbes’ Zak Doffman reported on the OMG Lightning cables, where individuals are able to re-work a cable and insert malicious software and tech to it. Doffman is back again with his latest piece identifying two risk areas associated with juice jacking: the charging socket and the cable itself:
If you come across a normal power socket and use an adapter plug and a cable you own yourself, Doffman advises, then you are safe.
“There is no means by which an attacker can bypass the physical properties of the hardware to extract data from or plant malware on your device,” he stated.
As for the charging cable, the cable itself can be the threat and weapon, “Regardless of whether it is plugged into a USB socket or a power adapter.”
Compare this to the “lost USB stick” in the parking lot you pick up and stupidly plug into your computer—you never know what’s on that device.
#5—Check Your Phone’s Settings
Every phone differs but check the settings on your device and see if there is an option where you can “disable data transfers.” You never know, you could save your device’s life.