Juice Jacking

 

Concepts - USB as a charge port

The concept is simple, leading smart phones on the market have been designed to utilize the same port for charging the phone as data transfer. This opens the opportunity to trick a user in need of a charge to expose their phone's data port. The attack encompasses many facets of information security, including security design, user awareness, attacks against system design/code, as well a bit of social engineering.

Information security is all about risk analysis. One standard to quantify this risk is Risk=Vulnerability*Exposure. Vulnerability can be considered leaving your car unlocked, Exposure is when the thief identifies this and opens the door. Your risk factor will increase if either factor is changed (e.g.. you left your car door unlocked, with the keys inside, or you leave your car unattended in a public parking lot vs. your home garage.)

With juice jacking, the vulnerability or attack vector is the phone's USB port, the exposure factor is dependent on the user's awareness of this possible attack method and their phone's battery life. When these two factors come together, the unsuspecting user plugs their phone into a malicious system, the attack is able to take place. In the age where business executives travel regularly, and depend on access to their phones to respond to emails, check their schedule, etc.. (basic work functionality) this vector may come up more often then people presume.

Luckily, this attack is entirely theoretical. There is no reason to presume the kiosks filling airports are inherently malicious. The proof of concept exists though, which is why it's a concern and a defense should be put in place. Options of defending against this possible attack are easy, and can be approached from many angles.

 

Below is an example of what our first proof of concept looked liked in action.

 

Hardware

A number of factors were taken in consideration for the initial build. Some of these were: realism, weight/portability, physical security, power needs (power drawn, backup power, etc.), and of course cost.

Realism Considerations:

Originally we considered building an exact duplicate of one of the more main stream kiosks, however, we decided against it for a number of reasons. One of the goals of the project was to do no harm while proving our theory. We felt if we could get people to plug into something that looked .suspicious. then the masses would definitely plug into a duplicate taking away from the goal. After further research, we found that the vast majority of the charging kiosks around the world look suspicious, so this may not have mattered after all.

Power Considerations:

With regards to power we had two things to consider. Power draw, and backup power in case the kiosk got mysteriously unplugged. Power Backup: We chose to use a low power Netbook with a three plus hour battery life to accommodate any power hiccups. Power Draw: First we did the math on the type of circuit we would be plugged into (20A) to determine the number of devices we could serve without popping a breaker. Then we calculated the draw of each type of device to determine how to split up the cords per USB hub. We went one 7 port powered USB 2.0 hub initially, and found the constant strain that is caused by charging the phones killed ports on the HUB. We then added another hub to lower the load on the first unit.

Cost Considerations:

With all the projects we had going, we wanted to minimize the costs. We decided beg/borrow/steal material from our personal stock/friends/family prior to purchasing anything new. Thanks to Riverside, Lei, and the 23B shop, we were able to keep the costs down. Our total out of pocket material costs were less than $200.00.

Physical Security Considerations:

We knew the kiosk was going to be setup in an environment where pretty much anything goes. Drinking is a common occurrence at Defcon, so we knew we needed to make idiot tolerant (no such thing as idiot proof). If someone truly wanted to get inside the kiosk, they could have.

Build Location(s):

The majority of the build was completed at Riverside.s. However, we did some build work and scrounged material from Lei.s father.s construction yard, and the 23B Shop.

Build Material:

One 10. Netbook, power strip, extension cord, wood (2x4), two powered USB hubs, piano Hinge, round cap bolts, zip ties, misc wood screws, zip-tie mounts, plexus glass, old pc cases for metal skin, various washers, rivets, spray paint (black lacquer & blue semi-gloss), primer (black), metal stand (donated by ACE Hardware), padlock, padlock latch door hasp and staple, miscellaneous USB to phone cords (iPhone, mini-USB, micro-USB, etc)

Tools Used:

jig saw, hack saw, drill press, drill, measuring tape, level, Angle grinder, bench grinder, power sander, sand paper, rivet Gun, Saw Horses, welder, carpenters pencil, miter saw, chisels, rasps, clamps, square, rotary tool, Stika sticker printer, masking tape, drill bits (various), box wrenches, ratchet set, 1 vat elbow grease

Defense

From the everyday user's perspective. Be aware... Don't plug your phone into an untrusted USB port!

We recommend testng your device on your own equipment to determine if it is at risk. Plug it in to your computer and see if you are able to access the phone without first unlocking or allowing the access on your phone.

If it does not prompt you for access, you are at risk and should bring your own trusted device to charge from whenever you travel and only use trusted devices to charge from (be it your laptop, a backup battery, or a charger that plugs directly into the wall!)

For the enterprise, this is a matter of policy. If your executives are traveling, they should only charge their phones via the trusted means as described above.

For the phone operating system designers, we feel users should be required to manually confirm before exposing access to any of the phone's data.

For the phone hardware designers, perhaps combining the data and charge port was an oversight in the design, but likely was a good decision to streamline the phone's over-all design and reduce costs. Perhaps providing an optional cable with no data, or a way to turn access off would satisfy this need.

Ultimately the biggest surprise in this research was the simplicity of the attack and the success rate at an event where the most security minded and paranoid individuals attend; a “hacker” conference.

Live Tests at Conferences - Defcon/Toorcon

The first kiosk was built and then deployed at DefCon 19 inside of the “Wall of Sheep” room itself. While unprepared attendees found themselves with a dead phone and no other options to charge, they would swarm around the “free charge kiosk” basking in the glow of a projector displaying the Wall of Sheep results. Within seconds of them plugging in their phone, the kiosk's “Free Charge” message changed to a P.S.A. stating “You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

During the design and build of the kiosk, the possible outcomes were discussed. We mostly agreed that it was a novel idea but there was a good chance no one would plug in their phones “It's Defcon, they should be smarter or at least more paranoid than that.” – Within the first few hours, we had become dumbfounded at how many times someone proved this presumption wrong. The majority of people seeing the Kiosk found it hysterical, took photos and brought their friends, but a steady stream of people were found constantly using the Kiosk to charge their phones. In the end, hundreds of potential juice jacking targets had been weeded out from the crowd of so called “hackers”. The “victim's” reasoning was similar in most cases, while the paranoia existed, they chose plugging in as an acceptable risk. Typically, the call they had to make was more important, or they presumed that no data of interest could be accessed on their phone. In our opinion, the kiosk was a resounding success (both of the level of proof of concept, and shenanigans)

ToorCon followed DefCon, and is a smaller conference of similar nature down in San Diego, CA. Presenting to the security community about this topic seemed appropriate, and ToorCon provided us another opportunity to deploy the Kiosk. With a completed newly built Kiosk, to prevent anyone from recognizing the original, we set off to San Diego. This Kiosk did not display the PSA like the original though, in fact it had no screen at all, just a box with wires and a sticker saying “Free” to entice people. It was a rush build as well, so it was very rough around the edges compared to the original and since the conference was much smaller we were far more concerned that no one would use the Kiosk. These fears were dis-proven immediately after the first talk/keynote, as we watched someone make a b-line for the kiosk and plug in their phone. Amazingly, we talked with them after the fact and they said they knew about the attack, but their decision to plug in was clouded due to the necessity to return a call that had been dropped due to a dead battery. We also made friends and gave them a battery backup for their phone (no really, these things are $10 each at monoprice and make great gifts for people you just scared the crap out of with a fake phone charging kiosk.) In all seriousness, we do belive that this is a possible attack vector and necessary precautions should be taken to prevent exploitation.

Media Coverage

5 Terrifying Smartphone Hacks You Won't Believe Are Possible - Cracked.com 
http://www.cracked.com/article_20345_5-terrifying-smartphone-hacks-you-wont-believe-are-possible.html
Cyber Threat Report - AT&T
techchannel.att.com
Beware of Juice-Jacking
krebsonsecurity.com
How to avoid smartphone juice jacking
www.tgdaily.com
By Trent Nouveau
Juicejacking - an emergency phone charge can be a security risk
nakedsecurity.sophos.com
Charging Stations May be 'Juice-Jacking' Data from Your Cellphone
www.pcworld.com
by Brennon Slattery
Protect Your Smartphone from Juice Jacking
technology.inc.com
by Sonya Donaldson
 Airport kiosks could do more than charge your device--data thieves could access them to write malware to your smartphone.
Juice-Jacking: Watch Where You Charge Your Smartphone
www.mainstreet.com
by Seth Fiegerman
Juice-jacking The next big threat to the mobile workforce?
www.myce.com
by Justin Massoud
Security researcher warns on smartphone juice-jacking risk
www.infosecurity-magazine.com
'Juice Jacking': What phone-charging kiosk deployers need to know
www.kioskmarketplace.com

Device Research

To turn off USB debugging in android based phones, the option is in Settings → Application Settings → Development → USB debugging (toggle on/off the option)

 

Device (Model/Maker) Device OS version Allowed to mount device as drive? Debug/Other Access?
Motorola Droid (original) CyanogenMod 7.1.0-RC1 Android version 2.3.4 Requires confirmation on phone Yes! Debug option on by default; disabled within settings
Iphone 1 (original)   Yes, no confirmation required. N/A
SamSung Galaxy Portal 2.1-update1 Not at all (I may be wrong) Debug optoin off by default, changeable in settings.

Credits

Project Team

Riverside
Lei
Genesic
Cedoxx
Doc
ch1m3ra