Malcolm Owen
The FBI has again warned the public against using public USB ports to recharge an iPhone, with "juice jacking" attacks infecting mobile devices connected to the ports.
Many people will be familiar with malicious apps and online attacks performed over the Internet, and that physical attacks are possible but rarer. However, despite this apparent knowledge, many still leave their devices open to potential attack by using public recharging points.
In a warning issued via Twitter on April 6, The Federal Bureau of Investigation's Denver office posted a warning to "avoid using free charging stations in airports, hotels, or shopping centers." The FBI believes bad actors have "figured out ways to use public USB ports to introduce malware and monitoring software onto devices."
The idea is that a USB charging point could be compromised by an attacker. Since the public doesn't necessarily believe a seeming power source available for free use could be malicious, the device owners will use the connection without contemplating whether attacks could be made on their hardware.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
The concept of a connection-based attack isn't new, as it has been around for many years. It's also not limited just to USB charging points, as a maliciously-crafted cable could even be used to the same effect.
Various US agencies have been warning against "juice jacking" for over a year.
How to protect against "juice jacking"
Apple does include "Trust this device" prompts that appear in iOS and iPadOS when you connect a new accessory to it, which does prevent any data transfers from occurring. If such a notice appears on a device connected to what should be a power-only USB port, you should disconnect it immediately.
However, it is also possible for the notification to be bypassed, if the attack itself is sophisticated enough.
Furthermore, if you're actively using the iPhone while it is plugged in, you may not necessarily see the prompt at all.
To combat the potential attacks, the FBI recommends using your own charger and USB cable to receive power from an electrical outlet, rather than trust a potentially compromised component.
Charles Martin
Andrew O'Hara
William Gallagher
13 Comments
I'm surprised the author or the FBI didn't recommend data blocking USB adapters. They're a very inexpensive solution.
This is where those USB cables that are only good for power would come in handy.
Note that the FBI doesn't claim to have any evidence of such an attack ever actually happening. Keep your device updated, and this isn't a concern. Nobody is going to burn a million-dollar exploit on people who need to charge at a semi-public charging station rather than an outlet they control.
As for power-only cables, that can be an option, but power delivery is negotiated over the data lines. These cables generally prevent the phone, tablet or laptop from requesting more than the 5W base delivery.
This is very good information. I’ve never used these types of public charging stations mostly because I don’t trust the quality and integrity of the electrical charging circuitry. Knowing that these charging points could also contain nefarious logic only adds greater rationale for not plugging into them.
The same logic applies to power banks, chargers, and even charging cables that do not come from a reputable and trusted source. It would be very easy for a bad actor to seed the gas station/truck stop/quickly mart/dollar store sales channels with super cheap power banks, chargers, and cables that contain a payload that gets pushed through a logic-enabled charging port on to a victim’s device. Not picking on the cheapo and knock-off sales channels, but if you weren’t already dissuaded by the possibility of these devices burning down your house perhaps the possibility of infection should give you pause.
Users should be wary of all ingress points into their devices, whether through physical ports or the various network/logical/communication ports including Ethernet, WiFi, USB, Bluetooth, NFC, AirDrop, Email, messaging, FTP, attachments, etc. Your circle of trusted ingress points should be very narrow compared to the number of available ingress points. Having connectivity is very different than establishing a connection, the latter of which should require a trust relationship. This applies to both technology and people.
Only relying on wireless charging is a solution.