Dan GoodinApr 12, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Show threadDan GoodinApr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

Show threadChester Wisniewski 🇨🇦Apr 12, 2023
@dangoodin @zackwhittaker I have never heard of a single example of this happening, ever. To interact with IOS or Android requires user approval, or as you point out, a zero-day. An Android would theoretically need to be in developer mode and the user would need to authorize the ADB connection, similar on IOS. This is pure FUD. Who burns a zero-day on a power outlet in a Starbucks?
Show threadJim P.Apr 13, 2023
@chetwisniewski @dangoodin @zackwhittaker I'm not aware of a practical example but on Android there are some devices that don't need explicit approval before they can work, like USB keyboards/mice. Though last time I tried one it did notify the user one was connected. But that would mean whatever connected would have to send just the right keystrokes/clicks to perform some task, and good luck making sure it's right for all the different variants of the OS.
Show threadMike GaruccioApr 13, 2023

@jimp @chetwisniewski @dangoodin @zackwhittaker

This would also require the device to be unlocked, and for the user to not touch it while it’s going off and downloading malware, and probably provide their pin or a biometric authorization at least once to accomplish anything real.

Show threadJim P.Apr 13, 2023
@mgaruccio @chetwisniewski @dangoodin @zackwhittaker It's not unheard of for someone to plug in the phone and unlock it and use it while it's charging but at least in the case of a virtual mouse/kb it would be very obvious it's doing something bad since they'd almost have to be watching it happen.
Show threadMike Garuccio

@jimp @chetwisniewski @dangoodin @zackwhittaker

Exactly, if they’re unlocking it they’re almost certainly also looking at it, and are likely to unplug it and/or lock it if it suddenly starts doing a bunch of things by itself

Apr 13, 2023 at 2:12amWeb