Dan GoodinApr 12, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Show threadDan GoodinApr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

Show threadAdam Shostack  Apr 12, 2023
@dangoodin @zackwhittaker there's a billion posts written by chatgpt that say you should be worried! 🤣
Show threadDan GoodinApr 12, 2023
@adamshostack @zackwhittaker What worries me more are the billions of posts written by journalists and various government agencies that say we should be worried.
Show threadAdam Shostack  Apr 12, 2023
@dangoodin @zackwhittaker That's an excellent thing to be worried about. I'm glad you're asking this question.
Show threadDan GoodinApr 12, 2023
@adamshostack @zackwhittaker So, are you aware of a single researcher who has ever said it's possible to juice jack a phone?
Show threadJ4YC33 ❌Apr 12, 2023

@dangoodin @adamshostack @zackwhittaker

When it's connected as power only? No. That's generally safe. The issue arises when the power outlet, or charging tower, or whatever-device-have-you has an inherent risk: You don't know what the data lines are connected to.

It's implanted chips, devices, and other things that may be connected to the data line to be concerned about.

Show threadDan GoodinApr 12, 2023
@j4yc33 @adamshostack @zackwhittaker What is the basis for you saying it's possible to infect a phone when it's plugged into a Lightning or USB cord? Is there even a single example of this happening in the wild? Is there a single PoC that shows this is possible? I've been looking, and I can find none.
Show threadJames Guthrie 🏴󠁧󠁢󠁳󠁣󠁴󠁿Apr 13, 2023
@dangoodin @j4yc33 @adamshostack @zackwhittaker https://shop.hak5.org/collections/mischief-gadgets/products/omg-cable
O.MG Cable

Show threadJ4YC33 ❌
@jamesjguthrie @dangoodin @adamshostack @zackwhittaker I can't believe I forgot that.
Apr 13, 2023 at 8:22pmWeb