Dan GoodinApr 12, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Show threadDan GoodinApr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

Show threadDan GoodinApr 13, 2023
@zackwhittaker Someone pointed out the OMG cable. It looks just like a USB C to USB C or USB C to Lightning cable, but inside each one is an implant that contains a web server, USB communications, and Wi-Fi access. It's advertised as something can remotely inject scripts into the connected device. Has anyone used one? What do I see on my iPhone or Pixel when I plug it into one of these cables?
Show threadGnarly
@dangoodin @zackwhittaker wouldn't a warning come up on the phone saying some external device is connected? Maybe if you have an android in like dev mode with everything disabled but even then makes no sense that it would just immediately start executing scripts
Apr 13, 2023 at 12:11amWeb
Show threadAurora PenguinApr 13, 2023
@gnarly @dangoodin @zackwhittaker android you have to specifically go to a notification, click it, and select "data access" before it will do anything