Dan GoodinApr 12, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Show threadDan GoodinApr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

Show threadVissApr 12, 2023
@dangoodin @zackwhittaker you dont even need an actual exploit. just adb. its command execution by design. the solution is to make sure your phone doesnt have debug enabled. or to use one of those 'power only usb condoms'. ive never heard of an in-the-wild recharging station actually doing attacks. androids get a popup when debugging happens and you have to approve the debugger on the other end of the cable. one wrong attack and the victim in the crowed airport makes a fuss
Show threadViss
@dangoodin @zackwhittaker then 2 minutes later theres a crowd and maybe a headline and the thing gets unplugged and airport security gets involved.
Apr 12, 2023 at 11:35pmTusky