Blog / Have you heard of a little thing called juice jacking?
Computers change quickly. The language used for computers also changes. When new attack methods are found, sometimes the old ways of describing things no longer work. Take the terms ‘Virus’ and ‘Anti-Virus’ for example. These were originally used to describe any and all malicious pieces of software. Over time, as new and more varied types of malicious software was created, those terms were no longer good enough, and so the language grew to include new terms (like the word ‘ransomware’, for a far too common example).
For today’s newsletter I’d like to introduce a new term I heard about recently, called ‘juice jacking’. It doesn’t mean that someone steals your OJ or anything like that, but instead describes when a bad actor executes an attack by compromising the power charger for USB devices. A slang term for electrical power is juice, and thus the term juice jacking’ was born.
When most people visualize digital defenses like anti-viral software or firewalls, they tend to picture a protective bubble around their computer. In order for anyone to perform an attack of any kind, a hacker needs to first get through the software defense bubble. Unfortunately, as your probably guessing by now, that’s not how it actually works. Think about installing a car alarm on your vehicle. It’s great at deterring theft, but can’t offer your tires any kind of help if you drive over a nail.
The same is true when it come to attacks like juice jacking. The bad actors are going after the hardware components that handle communications. Internal components like the network card, Bluetooth communications, USBs, and wireless cards all make use of some kind of signal transmitter, and this hardware is all outside all of your computer’s software. This means there is no way of protecting it with any kind of installed software.
So what happens if someone finds a way of attacking that hardware? In the case of USB it can be possible to reprogram that equipment. Software would not be able to detect or defend against this. So long as the reprogramming allowed for normal operation no one using it would have any reason to suspect something was wrong.
How does someone pull of an attack like this?
Well, first you need to be able to talk to a USB device which requires a physical connection. No one would blame you for thinking this would be hard to pull off but actually all someone needs to do is either compromise an existing USB charge station, or setup one of their own. If you haven’t seen them yet, you can find public USB chargers all over the place these days in airports, malls, hotel rooms, and some restaurants. Although it requires some expertise to setup, the components are not expensive.
Providing power to a USB device is easy. Once the hacker has devised some kind of attack that can be used on a particular piece of USB hardware, they make a small device to detect that hardware and execute the attack. All they have to do is program a microcontroller, and all of the circuitry can fit into the housing of a normal USB cable. It’s inexpensive, and easy to hide.
What are some realistic risks of being juice jacked?
Anyone performing an attack like this is going to have a goal and/or a target, and it’s unlikely that an attacker would go after a piece of hardware just because they could. The most likely targets would be government officials, CEOs, political targets, and so on.
How can you defend yourself against this sort of attack?
It’s pretty simple. Honestly, it’s best just to avoid using unknown USB chargers or devices if at all possible. If you find a USB disk on the ground, throw it out because it could be compromised. If you’re traveling, charge any of your equipment off of a USB plug you bring with you like an external battery or laptop. If you need to charge those, well, thankfully wall sockets haven’t been compromised. Yet.
Not everything I talk about in these newsletters is a threat to be concerned about. Still, I feel there is something to be learned. In this case, the major take away is an awareness of the limits of security software and gaining some insight into how computers actually work. Learning doesn’t stop after high school, and it should never end. You should always keep your mind open and be looking for things you didn’t know the day before.
Anyone familiar with Shakespeare’s play ‘A Midsummer nights dream’ should recognize today’s quote, “Do as I bid you; shut doors after you: Fast bind, fast find; A proverb never stale in thrifty mind.”
If you have any questions about juice jacking, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.