Mastodawn

Liam Lynch Apr 13, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Dan Goodin Apr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

@dangoodin @zackwhittaker there's a billion posts written by chatgpt that say you should be worried! 🤣

@dangoodin @zackwhittaker A

account got 1,000 RTs with a claim its real? 😂

Dan Goodin Apr 12, 2023

@adamshostack @zackwhittaker What worries me more are the billions of posts written by journalists and various government agencies that say we should be worried.

@dangoodin @zackwhittaker That's an excellent thing to be worried about. I'm glad you're asking this question.

Dan Goodin Apr 12, 2023

@adamshostack @zackwhittaker So, are you aware of a single researcher who has ever said it's possible to juice jack a phone?

J4YC33 ❌Apr 12, 2023

@dangoodin @adamshostack @zackwhittaker

When it's connected as power only? No. That's generally safe. The issue arises when the power outlet, or charging tower, or whatever-device-have-you has an inherent risk: You don't know what the data lines are connected to.

It's implanted chips, devices, and other things that may be connected to the data line to be concerned about.

J4YC33 ❌Apr 12, 2023

@dangoodin @adamshostack @zackwhittaker

That said, I also acknowledge that it's theoretical, and unless you work for an organization or agency who has directed you not to use public charging kiosks, then the risk is small, but relevant to understand.

Dan Goodin Apr 12, 2023

@j4yc33 @adamshostack @zackwhittaker What is the basis for you saying it's possible to infect a phone when it's plugged into a Lightning or USB cord? Is there even a single example of this happening in the wild? Is there a single PoC that shows this is possible? I've been looking, and I can find none.

J4YC33 ❌Apr 12, 2023

@dangoodin @adamshostack @zackwhittaker

In the wild? No, but I conceded that the attack is theoretical. There have been several PoCs around (Defcon has one every year, several grad students have performed PoCs as research,), and a framework (P2P-ADB) developed to make the attack fairly trivial.

It's a risk/reward situation. There isn't a lot of reward for using one of these attacks unless you have a fairly high certainty of your target utilizing the specific port you have set up.

StarkeRealm Apr 13, 2023

@j4yc33 @dangoodin @adamshostack @zackwhittaker I vaguely remember a proof of concept at DefCon back ~2014. So, this concept has been around for a minute.

@dangoodin @j4yc33 @adamshostack @zackwhittaker didn’t the GreyShift tool used by law enforcement from a few years ago work via USB? Pretty sure that’s why Apple added USB restricted mode.

There are also “usb killer” devices designed to fry the port which are… I guess a sort of DoS attack 😋.

The odds of anything like that happening in a public space are probably basically 0, but that doesn’t mean they’re impossible. I stick to my own chargers when feasible.

J4YC33 ❌Apr 13, 2023

@dbanty @dangoodin @adamshostack @zackwhittaker

It's a small risk that's trivial to mitigate.

Ed Sanders Apr 13, 2023

@j4yc33 @dbanty @dangoodin @adamshostack @zackwhittaker this is exactly right. I fell into the habit of bringing a battery when travel before they were all over the place anyway, so avoiding them isn’t an issue, and while the likelihood of compromise is exceptionally small the potential damage is not.

James Guthrie 🏴󠁧󠁢󠁳󠁣󠁴󠁿Apr 13, 2023

@dangoodin @j4yc33 @adamshostack @zackwhittaker https://shop.hak5.org/collections/mischief-gadgets/products/omg-cable

O.MG Cable

J4YC33 ❌Apr 13, 2023

@jamesjguthrie @dangoodin @adamshostack @zackwhittaker I can't believe I forgot that.

@dangoodin @zackwhittaker A phone shipped in the 2020s by a major vendor? No.

I don't pay tremendously close attention to this one, but I think that would be a surprising failure.

I know that I can't convince my apple phone to remember that I've told it to trust my apple computer and not demand i enter my passcode every time I plug it in, even if it's unlocked when I do so.

jeSuisatire neindochohh ᘛ⁐̤ᕐᐷ Apr 13, 2023

> and not demand i enter my passcode every time I plug it in

that's because they hacked you already and are stealing your password
😇

@dangoodin @zackwhittaker

Chester Wisniewski 🇨🇦Apr 12, 2023

@dangoodin @zackwhittaker I have never heard of a single example of this happening, ever. To interact with IOS or Android requires user approval, or as you point out, a zero-day. An Android would theoretically need to be in developer mode and the user would need to authorize the ADB connection, similar on IOS. This is pure FUD. Who burns a zero-day on a power outlet in a Starbucks?

Abhi Beckert 🇺🇦Apr 12, 2023

@chetwisniewski @dangoodin @zackwhittaker I assume the FBI are mostly worried about unpatched/abandoned older phones. So not zero days.

Jim P.Apr 13, 2023

@chetwisniewski @dangoodin @zackwhittaker I'm not aware of a practical example but on Android there are some devices that don't need explicit approval before they can work, like USB keyboards/mice. Though last time I tried one it did notify the user one was connected. But that would mean whatever connected would have to send just the right keystrokes/clicks to perform some task, and good luck making sure it's right for all the different variants of the OS.

Mike Garuccio Apr 13, 2023

@jimp @chetwisniewski @dangoodin @zackwhittaker

This would also require the device to be unlocked, and for the user to not touch it while it’s going off and downloading malware, and probably provide their pin or a biometric authorization at least once to accomplish anything real.

Jim P.Apr 13, 2023

@mgaruccio @chetwisniewski @dangoodin @zackwhittaker It's not unheard of for someone to plug in the phone and unlock it and use it while it's charging but at least in the case of a virtual mouse/kb it would be very obvious it's doing something bad since they'd almost have to be watching it happen.

Chester Wisniewski 🇨🇦Apr 13, 2023

@jimp @mgaruccio @dangoodin @zackwhittaker While it can be interesting to explore the possibilities, the truth is this is simply not happening. It makes no sense, achieves no goals and isn't worth doing outside of extremely specific circumstances.

The media stories on this are bereft of life. They're a stiff. They've kicked the bucket and have run down the curtain and joined the bleedin' choir invisible! This is an ex-story.

Mike Garuccio Apr 13, 2023

@jimp @chetwisniewski @dangoodin @zackwhittaker

Exactly, if they’re unlocking it they’re almost certainly also looking at it, and are likely to unplug it and/or lock it if it suddenly starts doing a bunch of things by itself

Mike Garuccio Apr 13, 2023

@jimp @chetwisniewski @dangoodin @zackwhittaker

Oh and btw we’re supposed to worry about this in airports? The most heavily surveilled locations on earth where everyone entering them needs to show ID tied to an identity trail? Some hacker is just going to walk in, disassemble some furniture, install their 0-day, and walk away and no1 is going to notice that?

NosirrahSec 🏴‍☠️ guillotine enthusiast Apr 13, 2023

@mgaruccio @jimp @chetwisniewski @dangoodin @zackwhittaker

Yes.

Airports are 90% security theater and 10% luck.

You don't need ID to walk into an airport, only past certain points.

Mike Garuccio Apr 14, 2023

@NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker

Large parts of the TSA process are theater, but, you aren’t getting past the security checkpoint without showing ID that matches a boarding pass, and any kind of suspicious activity like taking apart a charge station will attract attention from the army of airport personnel wandering around.

And, assume they manage it, theyre still on video criming, and have, at best, burned a fake identity and a 0 day, for a non-targeted attack.

Ariaflame Apr 14, 2023

@mgaruccio @NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker
Wear some sort of official looking shirt and have a tool kit. Nobody is even going to look twice.

Mike Garuccio Apr 14, 2023

@ariaflame @NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker

You’re going to bring a tool kit through tsa screening?

And in most places an official looking shirt will allow you avoid scrutiny, but that’s going to raise red flags on your way in and your going to have someone paying attention.

But let’s assume someone pulls it off, eventually it gets discovered, and they’re now on video committing a ton of felonies, and have spent 6 figures+ and have accomplished what?

Ariaflame Apr 14, 2023

@mgaruccio @NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker
*shrug* Just noting that social engineering is effective in a lot of situations. But you may be right. I still tend to use them, if at all, to charge the battery bank.

Chester Wisniewski 🇨🇦Apr 14, 2023

@ariaflame @mgaruccio @NosirrahSec @jimp @dangoodin @zackwhittaker This isn't really about getting into an airport or avoiding video surveillance, this is about the fact that it doesn't work without extraordinary access/measures and is never proven to have ever happened.

@dangoodin @zackwhittaker uh huh....

@dangoodin @zackwhittaker

I can't recall which but that was from a conference I attended in 2019...

Farce Majeure Apr 13, 2023

@eljefedsecurit @dangoodin @zackwhittaker it was shmoo

@vathpela @dangoodin @zackwhittaker eso eso eso...

Jay Thoden van Velzen ☁️🛡️

@eljefedsecurit @dangoodin @zackwhittaker do they offer you a job when you say, no thanks, i'll find a power outlet for my charger?

Oggie Apr 12, 2023

@dangoodin
I just caught this link earlier-
https://www.theverge.com/23321517/omg-elite-cable-hacker-tool-review-defcon

Though obviously that is intended to be a snoop on the data, it sure does seem like you could just run it as a real computer (or connect to it in various ways), so the question to ask is 'if you plug your phone into a random computer, can it be compromised'.

That feels like an extremely hard question to answer 'no' to without some serious qualifiers.

The O․MG Elite cable is a scarily stealthy hacker tool

The new O.MG Elite cable, released at Def Con 30, is a hacking tool that can function as a keylogger, perform keystroke injection attacks with DuckyScript, and exfiltrate data to a remote server using a built-in Wi-Fi access point.

The Verge

Dan Goodin Apr 12, 2023

@Oggie @zackwhittaker Thanks for sending this article. It says "if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it." But that's not what people do when they're charging their phone. Can you envision a realistic scenario where the O.M.G. cable would succeed in infecting or stealing data from someone merely by plugging their iPhone or Android device to it?

Oggie Apr 12, 2023

@dangoodin I was absolutely not attempting to provide a 'clearly this will break everything ' thought, and in theory a random connection to a computer, even with the express purpose of compromising a phone that you plug into it would be something you can guard against.

However, I know that there have been compromised based on plugging in USB drives in computers, so I am very leery to say that is extremely safe . The USB rubber ducky attack might be modifiable.

Viss Apr 12, 2023

@dangoodin @zackwhittaker you dont even need an actual exploit. just adb. its command execution by design. the solution is to make sure your phone doesnt have debug enabled. or to use one of those 'power only usb condoms'. ive never heard of an in-the-wild recharging station actually doing attacks. androids get a popup when debugging happens and you have to approve the debugger on the other end of the cable. one wrong attack and the victim in the crowed airport makes a fuss

Viss Apr 12, 2023

@dangoodin @zackwhittaker then 2 minutes later theres a crowd and maybe a headline and the thing gets unplugged and airport security gets involved.

Joseph Apr 13, 2023

@Viss @dangoodin @zackwhittaker As a hypnothetical for Android devices would it be possible to spoof keyboard/mouse interactions with something like the OMG cable?

I know it's possible to connect these peripheral without prior prompt, but to then have them click the confirm for you.

Still relies on developer mode + debugging to be enabled in the settings or the amount of mouse/keyboard movements required would probably alert the user

Viss Apr 13, 2023

@eccles @dangoodin @zackwhittaker that cable is basically just a hak5 bash bunny in a different wrapper. all it does is emulate keystrokes. You can go further to just outright disable external keyboards and storage devices: https://stackoverflow.com/questions/49840331/pragmatically-way-to-disable-all-usb-ports-on-android-so-that-it-does-not-recog

pragmatically way to disable all USB ports on android, so that it does not recognize any removable storage or any other device

I need a pragmatically way to disable all USB ports on android for a MDM application, so that it does not recognize any removable storage or any other device (USB mouse, USB keyboard etc). my

Stack Overflow

Dan Goodin Apr 13, 2023

@Viss @eccles @zackwhittaker I'm not fully up to speed on the hak5 bash bunny. If I plug this OMG cable into my iPhone or Pixel, can it do ANYTHING other than charge without me first granting permissions?

Viss Apr 13, 2023

@dangoodin @eccles @zackwhittaker these devices identify themselves as keyboards, and spit out a preprogrammed set of keystrokes. the phone would think it was a usb keyboard. no special drivers or permissions needed. also trivial to protect against.

Dan Goodin Apr 13, 2023

@Viss @eccles @zackwhittaker How would one protect against this?

Viss Apr 13, 2023

@dangoodin @eccles @zackwhittaker you can disable hardware keyboards, disable usb power, disable debugging.

Dan Goodin Apr 13, 2023

@Viss @eccles @zackwhittaker So the settings are opt out and not opt in?

Viss Apr 13, 2023

@dangoodin @eccles @zackwhittaker yeah, theyre easy to change but you gotta actually do it. i think debug mode doesnt come on by default

Dan Goodin Apr 13, 2023

@Viss @eccles @zackwhittaker it’s still not clear to me if this attack will work against an android device by default and users must make changes to prevent it, or if it’s the other way around.

MG Apr 13, 2023

@dangoodin @Viss @eccles @zackwhittaker I’ve seen a few people say that specific versions of android disable external keyboards by default. The majority seem to have external keyboards enabled by default.

The above mention of BashBunny isn’t quite right. Ducky is probably a closer comparison.

Matt Apr 12, 2023

@dangoodin @zackwhittaker

@kimberlyadams you talked about this on make me smart

Mike (no not that one)Apr 12, 2023

@mattcrwi @dangoodin @zackwhittaker @kimberlyadams I didn't know Kimberly had made it to the Fediverse...

Matt Apr 12, 2023

@mikey @dangoodin @zackwhittaker @kimberlyadams
She mostly just cross posts from twitter but I've seen her on here boosting some things recently.

Mike (no not that one)Apr 12, 2023

@mattcrwi @dangoodin @zackwhittaker @kimberlyadams Kai does the same thing, but it's a start.

Kimberly Adams Apr 13, 2023

@mikey @mattcrwi @dangoodin @zackwhittaker I've not really been posting much on Twitter beyond links to stories these days anyhow. I probably split my time evenly at this point. I still can't fully recreate some of my curated communities on here.

Mike (no not that one)Apr 13, 2023

@kimberlyadams @mattcrwi @dangoodin @zackwhittaker It can take a while here to build back up. Everyone is very spread out. But it's not a bad place to setup shop.
I'd be happy to try to help you find your groups of it would help.

barsteward Apr 12, 2023

@dangoodin @zackwhittaker
I think I’d still pass on the NSA charging station at ShmooCon though…
https://gizmodo.com/nsa-puts-phone-charging-station-at-hacker-conference-in-1831875574

NSA Puts Phone Charging Station at Hacker Conference in Plot to Go Viral

We’ve all had that moment. Your smartphone battery is running low, and you’re desperate for some juice. But just how desperate have you gotten? Desperate enough to plug your phone into an NSA charging station? Because some people are seriously facing that choice right now.

Gizmodo

swfong Apr 12, 2023

@dangoodin @zackwhittaker I did wet myself a little because I charged my iphone with the current O/S at the Final Final using their public charger.