> Brian Markus is co-founder of Aries Security, and one of the researchers who originally showcased the threat from juice jacking at the 2011 DEFCON. Markus said he isn’t aware of any public accounts of juice jacking kiosks being found in the wild, and said he’s unsure what prompted the recent FBI alert.
Maybe the FBI came across some foreign actor that talked about doing this or maybe they did come across it in real life and we'll have to wait for some future trial/operation to learn about it (if ever).
Still that $180 USB cable is really interesting. Fortunately it's expensive, although it's designed for professional red teaming.
> “The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”
Have any attacks surfaced which are effected only by manipulation of the power rails? I would think a charge only cable is sufficient to keep you safe.
USB-C has meant that cables have split into one paradigm with high power draw and low data transfer speed (for charging), and a separate paradigm with low power draw and high data transfer speed (for data transfer). You need to buy separate cables and then keep track of which is which, but, luckily for you, they have exactly the same connectors. It is not clear to me why this represents a technological advance over the ancient system of having separate power and data cables using different connectors.
On the other hand, you don't see power cables with no data transfer capabilities. For phones, the obvious solution would appear to be the fact that when you plug your phone into a power source that also has data capabilities, it defaults to "USB is for power only", and you'd have to manually switch it to data transfer if you actually wanted data transfer.
For laptops... how often do USB-C-charging laptops accept data through the charging port?
If you buy regular USB-C cables design for data they will charge exactly as fast as the USB-PD cables. UBS-PD is setup as a spec so companies can sell cheaper cables just for charging.
I just use a battery pack as a go between -- I never plug my phone directly into a public charger, I either use a tiny charge cube and plug into the wall (if I can find an outlet), or recharge a battery pack that I use to charge my phone.
Another advantage of the battery pack is that I'm a lot less worried about leaving a $15 battery pack unattended while I go pick up some food than my $500 phone.
All this assuming there didn't exist an exploitable firmware in your USB chargers and powerbanks, which could be used to spread a USB virus or install a payload.
they might have a resistor to indicate how much current is okay to draw, or they might be hooked up to a chip negotiating things like the voltage for the pd protocol, but usually it will be an asic that doesn't even really have firmware
The problem with buying stuff off Amazon is, we don’t know if the stuff itself is compromised[1][2]. I wish some well-known manufacturer would offer something like this.
If airport USB chargers aren't considered secure, that seems like it's own extremely serious problem that we should be taking drastic actions to remedy immediately. FFS.
From what I understand, a bad actor would need to physically interact with these charging stations. Sounds like a pretty severe breach of security to me that several agencies should be treating like an emergency. We are talking about spaces that are crawling with security and surveillance. If someone can plant a listening device like that, why can't they plant an explosive or biological weapon?
You're assuming the charging station isn't compromised to start with. A charging station with one of these tools would look basically the same as a normal charging station. One with a bomb or chemical weapon would look different.
It's a little confusing about airports specifically. Usually official airport usb stations are built into the furniture. They would have to take the thing apart to insert a device? I don't see an example in this article of an inconspicuous device for these types of ports
AC power lines don't have data lines, and even if they did the juice goes through a process to become DC 5V. It would be pretty tough to exploit a USB stack through a transformer and rectifier.
If the usb charger outlets being sent to a very federally regulated airports and installed without detection for many years are compromised at the factory, how am I to trust the USB charger I buy at a gas station or Amazon?
I think they meant, how you would know that your own charger is save, when they are malicious from the factory.
The answer to that question is to buy from a reputable seller/manufacturer or/and use a cable without data lines (for example Apple MagSafe).
People have been installing skimmers on atms and gaspumps and who knows what else in heavily recorded and busy places for ages. Airports have the benefit of being 24 hours and you can loiter there all you want if you're waiting for another flight.
As for the professional shampoo confiscators I wouldn't factor them at all.
edit: I like the assertion below, too, that the ports may just be factory compromised and unsafe from the start.
A sufficiently malicious, motivated, and suicidal (or misled) actor absolutely could use an explosive or biological weapon to attack an airport, essentially regardless of the on-premises security posture. For explosives, one would simply detonate their bomb IN the security line on a busy day. For biologicals, one would simply infect themselves first, then spend the day at the airport waiting for a plane. I continue to be baffled why we don't hear more of such attacks.
> We are talking about spaces that are crawling with security and surveillance
For some of these outlets, you need a screwdriver, a compromised replacement outlet, and 30 seconds. Maybe a friend and some luggage to block cameras.
I have no knowledge into the internal workings of airport security, but I doubt this is a threat they're worried about or looking for. No amount of cameras help with that.
Exactly. It's not like it would take compromising the vendor, or the service contract. The install can be a simple and quick swap.
The infeasiblity mostly seems targeting and monitization. You have no clue who or what will plug in, so it's barely useful for directed attacks. And actually getting value (intel or money) when all you know to expect is "a smartphone will connect" is quite hard.
For real, if I were to somehow conclude I'd been juice jacked at an airport, I would move mountains to go back and get ahold of that charger. I wouldn't wait three years and then drop an offhand HN comment that oh yeah, happened to me one time.
How would you get ahold of a 6 foot tall charging kiosk and what would you do with it or prove to someone at the airport that it was the culprit? Especially since the "juicer" could be s small skimmer overlaid on top of a legit charger that's been removed since you last used it.
Yeah, it's a real struggle that the evidence always disappears when I go back to look for it.
Or maybe I toss an orange maintenance vest in my carryon, put it on past security, and rip the fucker apart on the spot. It's hilarious that just below this is a long thread about the impossibility of stopping somebody from installing a tainted outlet. What's to stop me from uninstalling it?
Risk vs reward? Even if you find the right charge station and remove the juicer, your only reward for removing it is knowing that you're stopping someone else from getting juiced. But if you get caught, you face getting charged for vandalism or theft - and might even get blamed for installing it since you'll have it in your possession when you're caught. The value of a charging kiosk probably puts you in the realm of felony charges and maybe there's some upgrade of the charges for doing it within an airport secure zone.
Nothing is secure, an attack of this sophistication (exploiting the "juice" port) isn't even needed. Nowadays everything is wireless and uses Bluetooth LE. You can spoof a mac address of someones headphones and then let your device act as a keyboard and do a BadUSB attack over bluetooth.
I wondered the same thing recently. I'm pretty sure you have to explicitly trust any new device that's plugged in on both Android and iOS now. Isn't this kind of solved?
The person you are responding to is saying authorization isn’t always needed if they are exploiting a vulnerability.
The fact that you allow a data connection may be enough to zero-click you.
It’s like putting your computer on the internet and opening ports.
You might think you are fine if you are up-to-date, but the reality is we don’t know about all of the current vulnerabilities and potential buffer overflows until much later.
The person I responded to appeared to be confused that they never had to authorize a charger; I explained why that would be to be expected.
If what you said is indeed what they meant, then I'd respond that warning the general public of airport charging stations that have been tampered with by some powerful organization potentially burning 0days on randos is a tad overblown.
If you happen to be passing through an airport in a country where the government is known for engaging in mass surveillance activities, then you should take this advice very seriously, without any exceptions - you should always assume that your privacy is at risk of being violated or compromised.
It's a shame it's so hard to make a USB-C Power Delivery condom. The small nubber of USB C chipsets don't support it so anyone trying it is in for a ton of complicated implementation.
(PD uses the data lines to negotiate power capabilities and requests, so you can't just cut them. Instead you have to implement a little bidirectional firewall. I'd bet you could sell a lot of them, but probably not enough to justify the effort)
67 comments
[ 2.9 ms ] story [ 136 ms ] threadMaybe the FBI came across some foreign actor that talked about doing this or maybe they did come across it in real life and we'll have to wait for some future trial/operation to learn about it (if ever).
Still that $180 USB cable is really interesting. Fortunately it's expensive, although it's designed for professional red teaming.
> “The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”
On the other hand, you don't see power cables with no data transfer capabilities. For phones, the obvious solution would appear to be the fact that when you plug your phone into a power source that also has data capabilities, it defaults to "USB is for power only", and you'd have to manually switch it to data transfer if you actually wanted data transfer.
For laptops... how often do USB-C-charging laptops accept data through the charging port?
To avoid this kind of problem, you need to add an adaptor or cable with the data pins disabled. https://www.amazon.com/dp/B082WDHS22/ref=vp_d_cpf-substitute...
Another advantage of the battery pack is that I'm a lot less worried about leaving a $15 battery pack unattended while I go pick up some food than my $500 phone.
https://www.amazon.com/dp/B082WDHS22/ref=vp_d_cpf-substitute...
[1] https://www.pcmag.com/news/android-tv-box-sold-on-amazon-com...
[2] https://youtu.be/1vpepaQ-VQQ (Youtube)
Of course, that depends on the data blocker itself not being compromised. :-)
Because you can't chemically detect a circuit based on its use case, but those two items have a low false-negative detection rate?
I've learned never to say never, but ...
If the usb charger outlets being sent to a very federally regulated airports and installed without detection for many years are compromised at the factory, how am I to trust the USB charger I buy at a gas station or Amazon?
As for the professional shampoo confiscators I wouldn't factor them at all.
edit: I like the assertion below, too, that the ports may just be factory compromised and unsafe from the start.
Because quiet infiltration is of more value than a violent attack.
For some of these outlets, you need a screwdriver, a compromised replacement outlet, and 30 seconds. Maybe a friend and some luggage to block cameras.
I have no knowledge into the internal workings of airport security, but I doubt this is a threat they're worried about or looking for. No amount of cameras help with that.
The infeasiblity mostly seems targeting and monitization. You have no clue who or what will plug in, so it's barely useful for directed attacks. And actually getting value (intel or money) when all you know to expect is "a smartphone will connect" is quite hard.
“Security” is not one big umbrella.
The specific people and organizations tasked with protecting air travel are not tasked with protecting the cell phones of the passengers traveling.
Or maybe I toss an orange maintenance vest in my carryon, put it on past security, and rip the fucker apart on the spot. It's hilarious that just below this is a long thread about the impossibility of stopping somebody from installing a tainted outlet. What's to stop me from uninstalling it?
Risk vs reward? Even if you find the right charge station and remove the juicer, your only reward for removing it is knowing that you're stopping someone else from getting juiced. But if you get caught, you face getting charged for vandalism or theft - and might even get blamed for installing it since you'll have it in your possession when you're caught. The value of a charging kiosk probably puts you in the realm of felony charges and maybe there's some upgrade of the charges for doing it within an airport secure zone.
The fact that you allow a data connection may be enough to zero-click you.
It’s like putting your computer on the internet and opening ports.
You might think you are fine if you are up-to-date, but the reality is we don’t know about all of the current vulnerabilities and potential buffer overflows until much later.
If what you said is indeed what they meant, then I'd respond that warning the general public of airport charging stations that have been tampered with by some powerful organization potentially burning 0days on randos is a tad overblown.
(PD uses the data lines to negotiate power capabilities and requests, so you can't just cut them. Instead you have to implement a little bidirectional firewall. I'd bet you could sell a lot of them, but probably not enough to justify the effort)
https://www.allaboutcircuits.com/technical-articles/introduc...