30 comments

[ 2.7 ms ] story [ 64.2 ms ] thread
Tech literate folks, especially authorities, need to be so careful with what they get the public scared of. Get people scared about reusing passwords or not setting up 2FA. Warning folks about fringe concerns like juice jacking does nothing to meaningfully improve the safety or privacy of the general public, it only serves to get clicks (scary new thing! find out!) and desensitize people to warnings about real threats.
This times a thousand. It’s still the low hanging fruit getting the average citizen and if we had proper controls we could mitigate a lot of the damage people feel from database leaks and account compromises.
Many 2FA implementations are user-hostile. I wouldn't blame the users.

IDK about Android, but iPhones are now randomly generating passwords and storing them in Keychain, which has its own user-friendly 2FA. Solves the password-sharing problem. There's also authentication via Apple. Yeah it's first-party proprietary stuff; there are third-party solutions too, but they're harder for regular people to deal with.

Point being you don’t see the federal agency announcements typically talking about basic solutions like that: you see them warning about edge case attacks like juice jacking.
Yeah, for some reason govt agencies in particular always pick weird things to warn people about. Security advice from the government is also questionable since they spy too.
Fear of this threat may be the thing keeping it from being a big deal. If nobody cared to protect against it was commonplace to use public USB ports to charge your phone, it would be much more attractive for attackers. On the other hand, just not using public USB outlets or keeping a charge-only cable in your bag are pretty cheap countermeasures. Most people charge their phone while they're sleeping so the AC adapter or special cable can stay in their bedroom/luggage/hotel room. It's really not a big deal.
Why would anyone want to use a grungy, slow charging public usb port and be stuck in some place for however long it takes to get frustrated that it isn't filling your phone fast enough?

Get a power bank. They are cheap and even the large ones weigh no more than a pound. They have enough juice to get any phone through a day or 2 of use. You bring it with you everywhere and you never have to think about the battery level in your phone. Notice it's low (single digit percent battery) while out and about, plug in the powerbank and carry on being out and about.

The idea that I would use a public charger attached to a garbage can that I would then need to sit next to for an hour is crazy.

I've only ever seen them in airports (where people frequently sit for an hour or more between flights) or in hotel rooms. I've never seen one on a trash can or somewhere that you wouldn't already be waiting for something.

A few years back there was a startup that had kiosks in grocery stores to charge while you shopped (locked into a little cubby hole), but those seem to have disappeared too.

Plenty of homeless people, tourists, people who’ve just been out too long on a single charge and need 5 minutes of juice to get them to their next destination, delivery workers. It’s a nice thing to make cities friendlier, along with things like free wifi, water fountains, benches, and restrooms.
I find USB ports in plane seats very convenient.

You're anyway stuck in your seat and chances are good that you're low on juice during a day of traveling.

Same goes for trains. Alas, they usually have power outlets.

Given that my boarding passes, train tickets and other vital information is on my phone having power is essential.

As a light traveller I don't want to schlepp an additional gadget.

To each his own, I suppose.

You need the victim to press "trust this computer" or similar on their phone display, unless you have a zero day vulnerability up your sleeve.

If you let the phone display the prompt, you might infect a couple people but somebody will soon tell the shop staff, or even the police.

If you have a zero day then you are probably targeting some particular people, let's say diplomats, protestors or attendees of an important international conference. The chances of the average person being a victim of these attacks because they charged their phone at a cafe are negligible.

> If nobody cared to protect against it was commonplace to use public USB ports to charge your phone

Many airports, planes, and other public areas have these USB charging ports. Either people are using them, or a lot of money is being spent for no reason.

It's more like, I ignore government orgs like the FCC giving warnings that involve tech in some way. I don't care if my phone says incoming missile strike, it's probably a false alarm, and I disabled those anyway.
Gotta help Apple sell expensive chargers and thwart EU legislation on USB standards.
With all due respect to Ars journalists (which can honestly result in very little respect for a few of them), when it comes to security I'm going to prefer Krebs' reporting on the matter.

While an incredibly uncommon mode of attack, it's hardly nonsense.

Krebs doesn't report on that kind of stuff, he has a different focus. Dan Goodin has been covering tech for decades and does a really good job.
The article quotes Snopes: "The (FCC) official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.” And Krebs doesn't dispute this.
This is probably getting pedantic, but dismissing a risk as "nonsense" is how the general population forgets that certain risks exist. And this risk absolutely exists.

If you're a non-tech savvy but high-risk user who travels quite a bit, it's probably worth taking the precaution of using your own charger and cord. That way you don't have to worry about accidentally approving something on your phone that's going to hijack it.

I agree with not calling it nonsense. Makes this weirdly feel like a political info war with such extreme takes.
I'm more worried that the wall outputs the wrong voltage and kills my phone. Maybe an unfounded fear, but even if I trusted it, I'd still have to carry a travel charger in case there are no USB wall ports. So there's not much point in using the wall ones.
I've been using a "usb condom" for a while out of caution, but I don't worry about it if I manage to forget it while I'm on vacation. It's a pretty remote possibility, and only worth minimal worry.

I wouldn't say it's "nonsense", but it's also not worth worrying about, either. There are tons of these PSAs that are in that same category, and not just for tech stuff.

It might be more accurate to say something like

"Currently they're probably nothing to worry about, but in the future someone is likely to find a way to implement some kind of attack in these things at a scale that matters, so might as well as get in the habit of being careful now."

Just get yourself a charging cable that has no data pins/wires or a USB adapter with the same purpose if this is your concern.

As someone who rarely has a need for data connection while traveling this would be a real option.

I still wouldn't use random USB ports to charge my phones.
Yeah, even if juice jacking were impossible, you're still likely to get really crappy power that shortens your favorite device's lifespan. Cables without data pins (and I do have a few) don't solve that. My preferred solution is to plug a compact charger into an AC outlet. Alternatively, charge a $50 battery and then charge your $500 phone from that. Bring two if you want zero downtime. You'll still want something that's decent quality either way, but those aren't hard to find at reasonable prices.
Yeah, I've seen enough USB sockets providing voltage that fries most USB devices out there in my life to know better.
This article is full of contradictory information.

> it’s likely that viable juice jacking attacks are possible, but they’re largely out of reach for the vast majority of hackers

When is hacking such a specialized thing when there are tons of instructions on the darknet for these type of things?

> There are some major limitations, however, that make the O.MG Cable and similar hacking tools unsuitable for the kind of opportunistic juice jacking the FCC and FBI warnings envision. First, the script must be tailored to the specific model of hardware being attacked.

So target the largest common denominator? Even just 5 out of 1000 individuals compromised is a "good day", slurp up that data and sell on the darknet.

> That means it’s infeasible, if not impossible, to create a malicious charging station that could hack more than a very small number of phones in use today.

But a small number is some number. It doesn't matter if it's infeasible, just that it's possible. Target the largest base case - this being the Samsung Galaxies and specific iPhone/iOS versions.

> Additionally, the O.MG cable works only on Apple devices equipped with a USB-C connector.

Android, laptops, etc. Still viable attack vectors. As more and more devices move to USB-C (thanks to the EU) and more devices becoming slimmer - these charging stations are going to look like attractive targets. Surface Pro is now USB-C, and a number of laptops charge via USB-C.

> They create unneeded anxiety and inconvenience that run the risk of people simply giving up trying to be secure.

This is the "low hanging fruit". By conditioning the public to avoid these , they can eliminate this kind of attack almost entirely. It's kind of how we eliminated a large body of diseases by teaching people to wash their hands when they come and go from places. Good hygiene is still good hygiene.

I feel like Ars journalist want people to fall victim to these, just so they can write easy articles.