Juice-Jacking – What is it, and how can I protect myself?
We’ve all been there – we’re out and about, going about our daily lives, be it at the airport, out at a remote office for work, or even at Starbucks. Looking at your phone,
you see you’re down to 2%. “YIKES!” is the most common internal thought in that circumstance. You happen to notice a convenient public charger, and the charger happens to match your phone! In a few minutes, you have enough juice in your phone to get you through awhile, until your next stop. Whew, right?
So what’s the big deal here?
Cell phones, as much as a pain they can be, have made life so convenient for us all. Not only can we stay in touch with the people we hold most dear – but these days, we can even buy online, pay bills, buy stuff, and even conduct business all from the handheld device that just twenty years ago, would have seemed almost unthinkable.
But, with great convenience comes great risk. The amount of information that cell phones hold today, compared to just even ten years ago, has increased exponentially – not only in storage ability, but just through simple utilization. We now bank on our phones. We now buy stuff on our phones. Itinerant workers now often work through their phones. We sign documents on our phones. We have our credit card payments, thanks to NFC, all on our phones. They now even hold biometric information, thanks to fingerprint unlocking. This is a *lot* of data to be held on a single device – and that doesn’t even countthe more irreplaceable things, such as recordings of loved ones, pictures, and the like. So, its pretty safe to say, the average person would find it devastating to have this data fall into the wrong hands.
Enter… juice-jacking.
Juice-jacking is a kind of exfiltration attack, where a bad actor uses what appears to be a public (or otherwise trusted) charger, to attack the victim. When the unsuspecting victim plugs in their cell phone into what looks like an innocuous charger – the device actually contains a small computer that is designed to interface through the phone via the USB cable, and remove and store, or remove and forward any information it encounters – be it pictures, text messages, call logs, passwords, browser history, credit card numbers, biometric data (i.e., fingerprints) – virtually, anything it can get to. The end goal of this isn’t always the same. The bad actor in one circumstance may simply be looking for credit card information to conduct fraud. Another may be looking for login information to make purchases using your information. Another may be looking to extract information for sale to data brokers on the dark web. Another may simply be acting for perverse pleasure, or worse, find an easy mark for stalking.
While it is a complicated thing to perform, its execution is relatively simple – it’s a modern play on a social engineering concept called the ‘confidence trick.’ By trusting the fact that a charger may be in a public, reputable location, and not a computer in sight, a victim (either through trust, or simple lack of understanding) plugs their device in, expecting to simply get a charge. What they have done in a juice-jacking attack, is given access to their phone to a bad actor.
So, what can I do to protect myself? Occasionally, I do *need* access to a public charger.
The most effective way to get around this issue – don’t use public chargers. Even chargers that are in reputable locations, such as a coffee shop, or an airport, could be modified into juice-jacking devices, with little to no external differences – so even the owners of the original charger would likely be oblivious to it. Some people need to be able to keep their devices charged, at (almost…) all cost. In situations where a public charger must absolutely be used, a cable extender that sits between the charger and the phone can be utilized, wherein the wires that carry the data are severed; and the cable is only capable of delivering power. So, in a circumstance where even when a juice-jacking attempt could happen, the attack is rendered useless, because the cable is incapable of transmitting data – only power.
SPY OPS does have utilities to keep juice-jacking from happening to you. Its isolation devices keep this kind of attack at bay by blocking any exfiltration attempts by not allowing data to flow through the cable at all. Stop into the shop or give us a call at 248-569-6831, should you have any questions here. With data becoming the cash-cow of both legal and illegal brokers, new and inventive ways to extract anything and everything from your devices, your web-presence and simply by living your life are becoming more and more prevalent. By arming yourself with knowledge, you can work to isolate yourself from bad actors looking to profit from you – directly or indirectly and even against cyberstalking and even potentially extortion using your private data.
Knowledge is power.