That Little USB of Horrors



Beware USBs promising a quick recharge of your mobile device; they might also be leeching data as well.

It's a common scenario. You just arrived at an airport after a long flight and your phone is dead. There's a shiny kiosk sitting in the airport lounge with cables for you to use for charging. What could possibly go wrong?

The strength of Universal Serial Bus (USB) is its amazing capability as a connector. So it is ironic that its greatest weakness is that same universal nature: that both the power supply and data pass through the same port and cable. Not only are you getting power from the kiosk, but the kiosk might be getting access to all the files on your mobile device. This could pose data loss problems for enterprises with staff out on the road.

Juice Jacking, the practice of surreptitiously collecting data from a device while it is being charged, was first highlighted in a talk at the DEF CON security conference in 2011 and a kiosk in the lobby of the conference hotel. At least 300 plus attendees took advantage of "free charge" kiosk. While this particular kiosk stated it was ethical, the conference delegates (who should all know better) were nonetheless greeted with a scary display warning that other kiosks might not be friendly and might even be malicious.

Although there have been relatively few examples of Juice Jacking seen in the wild, in security you or your company never want to be among the first to be hit.

The USB port is designed to share data, not just power. Data typically includes your address book, notes, photos, music, text messages, and even a full backup of your phone. It's also a two-way street. You might think the threat is only in exfiltration but Juice Jacking can also be used to put malware on your device as well.

Some changes have occurred. Today newer mobile devices default to charge first, and only transfer data if you allow it. iPhone, for instance, will flash a notice "Trust this computer?" and give you the option of transferring data. But these protections can be defeated.

At Black Hat 2013, for example, a trio of researchers focused on the iPhone by designing a piece of malicious hardware, a USB port they called Mactans that could circumvent Apple security. Malicious hardware such as MacTans could be sitting on the other side of a charging cable in a kiosk and could, without having a jailbroken phone or any real user interaction, exfiltrate data from any mobile iOS system connected to it. The researchers claim an iOS device could be compromised with their hardware within a minute of being connected.

In a 2014 Black Hat talk, researchers Karsten Nohl and Jakob Lell demoed BadUSB, malicious code that compromises the firmware of a USB port. The researchers found they could reverse engineer and alter the fundamental way data is transferred via the USB port such that your IT department would be none-the-wiser. They focused their research on USB sticks, yet the same data communications can be found elsewhere.

For example, that digital clock radio you connected your phone to last night could also have taken your data if it had been compromised. In order words, with the advent of the Internet of Things, it doesn't have to be a traditional computer that steals your information. And you might think that turning your mobile device off while using the USB port to charge will prevent the data sharing capabilities. That is not always true. Some devices "wake up" the USB port as soon as a cable is connected.

So how can this attack be mitigated?

Juice Jacking can be stopped by using a special dongle or charge-only cable between your USB port and your mobile device. These charge-only cables and dongles block the data pins and data wires so that only the power pins and power wires remain active. We're not endorsing one brand or another, but you can find a variety of them for as little as $8 on Amazon.

Short of buying a dongle and remembering to pack it and use it, here are a few other tips:

  • Top Off: Always keep your mobile device charged, at least 75 percent or more.
  • Carry Your Own: Carry your own plugin charger. These often ship with the mobile device and the use of a friend's compatible plugin charger won't necessarily compromise your data.
  • Carry A Battery Charger: An alternative to a plug charger is a battery powered charger. These typically offer one full recharge before the recharger itself has to be recharged.
  • Enable Power Saving: Many mobile devices have power-saving features that can extend the life of the current battery charge by dimming the screen and limiting certain power-hungry apps which may also prevent the need to use free charging stations.

Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).

Robert Vamosi

451 Research: The DLP Market by the Numbers

Get the 451 take on the resurgence of the DLP market, with projections for market growth over the next five years and the top security challenges for 2016.

Download the report

Related Articles
The Evolution of Authentication and Identity Management: A Q&A with Duo's Wendy Nather

Wendy Nather discusses the evolving consumerization of security and how it affects the future of authentication.

The Anatomy of a CISO: A breakdown of today’s top security leaders (Infographic)

What does the typical Fortune 100 CISO look like? We researched the top security leaders at F100 companies to get a better idea – here’s what we found.

Security Investments and the Definition of Insanity

A survey of IT professionals finds companies continuing to prioritize network perimeter protections – with little to show for it.

Robert Vamosi

Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).

Please post your comments here