Beware of Juice-Jacking, warns security researcher Brian Krebs. Those cell-phone charging kiosks in airports and other public places amount to an "unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware."
/
/
11:35 am Wed
Aug 17, 2011
Should you use public cell-phone charging kiosks?
What if school was out, forever?
Today a future without schools. Instead of gathering students into a room and teaching them, everybody learns on their own time, on tablets and guided by artificial intelligence. Flash Forward: RSS | iTunes | Twitter | Facebook | Web | Patreon | RedditIn this episode we talk to a computer scientist who developed an artificially […]
READ THE REST
Lament for the hard drive
Where are our petabyte drives? Brian Hayes takes us through the reasons storage is “stuck” in the low terabytes. The tl;dr is that we got such exceptional capacity growth in the late 90s and early 00s we don’t need much more right now, so the focus since then has been on SSDs, networking, interfaces, etc, […]
READ THE REST
Squarespace staffer claims exec told them "you’re so black, you blend into the chair"
Amélie Lamont, a former staffer at website-hosting startup Squarespace, writes that she often found herself disregarded and disrespected by her colleagues. One comment in particular, though, set her reeling — and came to exemplify her experiences there.
READ THE REST
Even Cheech and Chong would be impressed with this “Happy Kit”
When the mood strikes you and you’re looking to light up, you shouldn’t have to hunt around for all the things you need: your pipe, your grinder, your favorite munchies, and so on. And with the Happy Kit, you won’t have to.This compact black case houses everything you need, including a grinder, a glass pipe, […]
READ THE REST
Kiss your boring job goodbye—you’re about to learn how to program
Everybody knows that if you want to earn the big bucks these days, you need to learn how to code. Luckily, you don’t even need to spend thousands on grad school to make coding your career. The Entry-Level Python & JavaScript Programming Bundle is the easiest way to get started in programming in two of […]
READ THE REST
If the Trumpocalypse actually hits, you’ll need this disaster preparedness bundle
Everything short of a ticket to Canada is here. Read on for the top 3 things you need to do to survive if ‘President Trump’ becomes real life.Start Your Own Business—Not Brought to You By Trump University This legitimate course bundle (they’ll even show you their tax returns) will teach you to make major cash without answering to […]
READ THE REST
34
Comments are closed.
Luckily it’s trivial to construct an adapter that passes power but no data.
You posted this as I typed “I bet this could be avoided by a custom USB dongle where the Data pins aren’t connected to the host, but trick the phone into knowing everything’s ok (like the minty boost does)”
And then had to reset my password.
Great minds think alike!
According to the USB charging spec, shorting the data pins is a signal to the device that it will get up to 1800mA from the port. The same charging spec also say that if there is no data traffic (but the data pins are still intact), the usb2 port should be allowed to deliver up to 1500mA. This because usb2 cables and ports are actually rated to handle as much (normally a usb port only deliver 500mA, in increments of 100, on request).
Cel phone condom FTW!
That’s sarcasm, right?
It’s funny, I was just at the airport a week ago and had the same thought…. people assume it’s just a jack and don’t think “what’s behind it?”. If I was the TSA I’d be all over that one. Of course, people preparing to die probably aren’t that concerned about their battery level…
That’s like giving the thief the keys to your house.
I wouldn’t use the “charging station” at Defcon, but frankly, the risk of a charging station at an airport being malicious is similar to paying for food with a credit card at an airport (either the agent or the machine could be malicious). Buying a coke from a vending machine could also be malicious (it might be a fake poisoned coke). Of course there’s some risk whenever you interact with strangers or strange devices – but there’s usually some minimal vetting to install a device in the secured area of an airport.
That’s what I would have thought, but a friend of a friend used one, and his phone was infected with the Good Times virus and it infected the control circuits of his fridge and made his ice cream go all melty.
I would compare it closer to using a public access USB terminal with your laptop rather buying a coke or using a credit card. Most phones are configured to transfer data as well as power from the same plug on the phone.
Yes I agree. I mean if I’m boarding a plane it’s usually for an international flight which will take a few hours and my phone will be switched of for the duration. Hence, I don’t really need to charge a phone. On the other hand I may need to make an urgent call and need just that extra bit of juice. Either way I would risk it. I don’t think I have any particularly senstive data.
Credit cards have a third party involved tho, the company that issued the card.
I wouldn’t use a charging kiosk because they cost way too much money. Better to camp on the floor by an outlet.
P.S. I know the article talks about free charging kiosks. I’ve never seen one of those in an airport.
Public charging kiosks are like open wireless access points in airports.
Of course, a random guy at an airport (on my way to Defcon, no less,) didn’t understand why randomly picking open wifi is a bad idea after asking how I was on the internet.
I’ve seen way more free charging kiosks at airports that have AC outlets than have USB/data plugs. No fear with the AC!
Not yet.
The techie types that read this blog understand that using an AC adapter between your phone and the kiosk/outlet will prevent any hacking, but I’m sure many non-geek folks won’t realize this, and will now start freaking out after reading this article or hearing the info 2nd hand.
I see this as a good thing, as it will free up the outlets :)
Most that I’ve seen have both regular outlets and USB charging ports. I always opt for the outlet. Some airports DO have free ones- either ad-supported (you have to stare at an ad while you are sitting there) or are installed by the airlines. (Southwest seems to do this a lot.)
I was just in a couple airports with free USB charging kiosks located next to AC wall outlets. I assumed that they are just power supplies, since they’re built into the wallbox and don’t appear to have any room to hold an internal computer.
Nonetheless, the USB data block is very simple to build, requiring only a jack, a plug and four resistors. Each data line needs 180K to 5V, 270K to gnd.
For most devices, you do not need even that. Just the two power lines (gnd and +5), and leave the data lines floating. Of course, YMMV depending upon the device (iPhone, iPod, etc.).
I don’t get around all that much, but I’ve never had trouble finding an unoccupied AC outlet to plug my own charger into. I don’t think I’d plug into any old USB connector that was lying around, even if it is at a more civilized waist-level than those barbaric AC outlets near the floor. I get irritated enough by my phone complaining about being plugged into an “unsupported cable” (which charges it just fine anyway). The last thing I wanna worry about is whether some scamp is moving data to or from my phone.
Are there *any* public exploits that can get data off a cell phone without any user interaction? I.e. without someone clicking “mount usb drive” on the phone display. The *only* reason this story is exists is because some hipster came up with the term “juicejacking” and thought it sounded cool…see also “bluesnarfing” (which affected about 3 nokia phones that were years obsolete by the time)…
Someone beat me to the punch, but I was going to suggest some sort of condom-like device for the data connectors of one’s device.
When trying to use a 7-port USB hub (not connected to a computer) to charge a bunch of devices, the hub was being a bit recalcitrant (probably since it saw no host computer), so I put a strip of Post-It note over the center two contacts of my USB plug. That would work in this case too.
My android phone asks what I want to do with the USB connection. I DON’T want to unmount the SD card, so mine is set to default to charge only. My old palm pre did that also. Are just Iphones and Windows phones vulnerable?
You can do near anything you want with a plugged-in Android phone via the command-line ADB program, whether the SD card is mounted or not, though AFAIK it won’t work with non-rooted, locked-bootloader phones.
So, most people have nothing to worry about, though there are a lot of people that root their Android phones that don’t necessarily understand the security implications. But, why would anyone bother to target that audience in someplace like an airport terminal? You’d get a ridiculously small number of hits that actually allow access.
No. You need to explicitly turn on debugging on your phone to make adb worked, whether rooted or unlocked or what have you — and even if you are, it’s a simple matter to turn debugging back off if concerned.
And those ‘do not remove’ tags on your mattress are so the CIA can spy on you.
In this day and age with WiFi and Bluetooth why would anyone need you to plug in your fairly unsecured mobile device to steal your data? It’s already whizzing through the air like a Wonka bar and Mike TeeVee. Just reach out and grab it.
Or you could just get one of these.
Or one of these.
I fully trust Bacardi, they just want to charge up my night, not grab relevant info from my phone to use in improving their marketing targeting efforts.
I covered this almost a month ago:
http://iheardacouplethings.blogspot.com/2011/07/h2o-and-usb.html
Please, don’t use usb without protection, folks.
be very afraid… all the time