No charging station is safe, as the FBI is warning travelers looking to charge their devices in airports, hotels, and coffee shops that "Juice Jacking" is a thing as bad actors are using public chargers and even free cables and charging plugs to infect phones and other devices with malware.[1]
According to an FBI "Scams and Safety" brief, which also discusses system and data protection and protecting money information:
- Be careful when connecting to a public Wi-Fi network, and do not conduct sensitive transactions, including purchases, when on a public network.
- Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices that access these ports. Carry your charger and USB cord, and use an electrical outlet instead.
- The US Federal Communications Commission (FCC) issued a warning in the fall of 2021, titled "'Juice Jacking': The Dangers of Public USB Charging Stations," giving travelers notice before the busy holiday travel season.
- "If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those near airport gates, in hotels, and other travel-friendly locations, could have unfortunate consequences. You could become a victim of 'juice jacking,' a new cyber-theft tactic.
- Cybersecurity experts have warned that criminals can load malware onto public USB charging stations to access electronic devices while being charged maliciously. Malware installed through a dirty USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can use that information to access online accounts or sell it to other bad actors."
Here are what some cybersecurity vendor experts are saying about the juice jacking news, including a couple who do not view the problem to be as bad as reported and others considering the implications for electric vehicles (EV) charging stations:
JT Keating, SVP of Strategic Initiatives at Zimperium:
"Consumers should always be wary of free solutions purporting to be 'public' services. When hackers trick people into using their fake Wi-Fi networks and power stations, they can compromise devices, install malware/spyware and steal data. This trend will continue and evolve as more and more people connect to EV charging stations for their electric vehicles. By compromising an EV charging station, attackers can cause havoc by stealing payment information or by doing a variation of ransomware by disabling the stations and preventing charging."
Casey Ellis, Founder, and CTO at Bugcrowd:
"Juice jacking is not common; however, the combination of ease of exploitation and the impact makes it a risk that people should be mindful of. So, how do hackers infect public power stations? Typically, it's via replacing an existing charging terminal with a trojan one or even by installing a completely fake system where one did previously exist.
Consumers should remember that connections (whether physical or virtual, like in the case of Wi-Fi) exist to create access and that access works in both directions. While they are enjoying a recharge, the possibility exists that the owner of the charging station is enjoying their data.
An EV isn't a personal computing device like a phone or laptop, so the privacy and security implications of compromise through a charging port are quite different. That said, the past five years of EV innovation have seen them evolve more and more towards being an extension of the user's digital life, so it's reasonable to expect that privacy and security concerns through EV charge ports will become a consideration in the future."
Bud Broomhead, CEO at Viakoo:
"Juice jacking isn't very common in general because people do not use a remote charging facility very often. However, if someone was a user of a charging system outside of their control, the warning issued by the FBI should cause them to change their behavior, as cases are on the rise.
Should consumers be cautious in general about using public facilities like charging stations and Wi-Fi connections? Yes. Any connection to a device (power, Wi-Fi, texts) can be used by threat actors to add malware, exfiltrate data, or be used as a phishing attack.
Modern vehicles contain a lot of digital data and will grow as a target for threat actors to exfiltrate that data. There have been hacks of GM's OnStar system, and even last week, a successful hack of a Tesla Model 3 (providing root access) at the Pwn2Own Conference.
Threat actors are seeking data and control; they have shifted their focus over time from data centers to the IoT/OT devices that are generating the actual data. By going to the source (such as cars, mobile phones, IoT/OT devices in general), threat actors can also plant deepfakes, manipulate data, and gain control over how devices function."
Andrew Barratt, Vice President at Coalfire:
"Based on the fairly limited data on this, it's hard to say how common 'juice jacking' is. It's probably more likely to take place in areas that have persons of interest frequenting, i.e., politicians or intelligence agency workers. For a juice jacking attack to be effective, it must deliver a very sophisticated payload that can bypass common phone security measures. Frankly, I'd be more worried about the outlets being so heavily used that I'm more likely to damage my cord or the socket on the phone.
The proof of concepts that have demonstrated these kinds of attacks offer an 'overlay,' something that looks indistinguishable from a regular power outlet but hides some very small-scale microprocessor that could deliver a custom payload to a device.
EV charging stations have been a concern for a while, but the main consideration, following the money, is what could be used to steal charge time or get free use from these outlets. Longer term, I suspect there is a concern that we will continue to see more attacks against these chargers as the world transitions to EV chargers. The same has always been true. When we had public payphones, there were attacks against them and regular attacks against ATMs and gas pumps. Anything, where value is dispensable in an unattended environment has a payoff potential for a cyber-enabled thief to leverage.
With Wi-Fi networks, attackers are normally scraping traffic, looking for credentials that take over social media and email, which can then be used to move laterally into online banking or anything of material value that can be quickly monetized. With public power points, the cost is high to deliver, the chances of success are very low, and the likelihood of detection is very high, particularly in airports or other mass transit environments with huge amounts of CCTV and security. The ability to go undetected and quickly place a rogue device becomes more and more challenging. If I were to speculate, I'd say that these kinds of juice jacking devices are more likely to be used in very targeted scenarios for corporate or state-sponsored espionage."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.secureworld.io/industry-news/fbi-warns-juice-jacking
Comments