Dan GoodinApr 12, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Show threadDan GoodinApr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

Show threadVissApr 12, 2023
@dangoodin @zackwhittaker you dont even need an actual exploit. just adb. its command execution by design. the solution is to make sure your phone doesnt have debug enabled. or to use one of those 'power only usb condoms'. ive never heard of an in-the-wild recharging station actually doing attacks. androids get a popup when debugging happens and you have to approve the debugger on the other end of the cable. one wrong attack and the victim in the crowed airport makes a fuss
Show threadJosephApr 13, 2023

@Viss @dangoodin @zackwhittaker As a hypnothetical for Android devices would it be possible to spoof keyboard/mouse interactions with something like the OMG cable?

I know it's possible to connect these peripheral without prior prompt, but to then have them click the confirm for you.

Still relies on developer mode + debugging to be enabled in the settings or the amount of mouse/keyboard movements required would probably alert the user

Show threadVissApr 13, 2023
@eccles @dangoodin @zackwhittaker that cable is basically just a hak5 bash bunny in a different wrapper. all it does is emulate keystrokes. You can go further to just outright disable external keyboards and storage devices: https://stackoverflow.com/questions/49840331/pragmatically-way-to-disable-all-usb-ports-on-android-so-that-it-does-not-recog
pragmatically way to disable all USB ports on android, so that it does not recognize any removable storage or any other device

I need a pragmatically way to disable all USB ports on android for a MDM application, so that it does not recognize any removable storage or any other device (USB mouse, USB keyboard etc). my

Stack Overflow
Show threadDan GoodinApr 13, 2023
@Viss @eccles @zackwhittaker I'm not fully up to speed on the hak5 bash bunny. If I plug this OMG cable into my iPhone or Pixel, can it do ANYTHING other than charge without me first granting permissions?
Show threadVissApr 13, 2023
@dangoodin @eccles @zackwhittaker these devices identify themselves as keyboards, and spit out a preprogrammed set of keystrokes. the phone would think it was a usb keyboard. no special drivers or permissions needed. also trivial to protect against.
Show threadDan Goodin
@Viss @eccles @zackwhittaker How would one protect against this?
Apr 13, 2023 at 1:26amWeb
Show threadVissApr 13, 2023
@dangoodin @eccles @zackwhittaker you can disable hardware keyboards, disable usb power, disable debugging.
Show threadDan GoodinApr 13, 2023
@Viss @eccles @zackwhittaker So the settings are opt out and not opt in?
Show threadVissApr 13, 2023
@dangoodin @eccles @zackwhittaker yeah, theyre easy to change but you gotta actually do it. i think debug mode doesnt come on by default
Show threadDan GoodinApr 13, 2023
@Viss @eccles @zackwhittaker it’s still not clear to me if this attack will work against an android device by default and users must make changes to prevent it, or if it’s the other way around.
Show threadMGApr 13, 2023

@dangoodin @Viss @eccles @zackwhittaker I’ve seen a few people say that specific versions of android disable external keyboards by default. The majority seem to have external keyboards enabled by default.

The above mention of BashBunny isn’t quite right. Ducky is probably a closer comparison.

Show threadVissApr 13, 2023
@dangoodin @eccles @zackwhittaker ymmv. different android vendors have different roms with different default settings. itll be hit or miss at best.
Show threadVissApr 13, 2023
@dangoodin @eccles @zackwhittaker the real world implications are largely:

it may work on a couple phones, but the moment one that gets a popup gets plugged in, the jig is up, everybody knows the kiosk is malicious.
Show threadjeSuisatire neindochohh ᘛ⁐̤ᕐᐷApr 13, 2023

@Viss

>> So the settings are opt out and not opt in?

> yeah

case closed.

(btw - "people", governments, agencies, ONG's aren't even able to leave (opt out of) twitter when it's hijacked in the open but in this specialist discusion "everything is save". your so funny ..)

@dangoodin @eccles @zackwhittaker