Mastodawn

Dan Goodin Apr 12, 2023

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.

'Juice Jacking': The Dangers of Public USB Charging Stations

If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences.

Show thread

Dan Goodin Apr 12, 2023

Zack and several other people I respect say that Juice Jacking is a real threat, but is that even true?

If I can infect your device by tricking you to connect it to my boobytrapped power cord, it seems to me I have a very valuable 0day that Apple and Android device makers would want to patch right away. How is it that this threat has existed for so many years with no patch?

I remain skeptical that juice jacking is a threat at all. What evidence is there that shows otherwise?

cc: @zackwhittaker

Show thread

Chester Wisniewski 🇨🇦Apr 12, 2023

@dangoodin @zackwhittaker I have never heard of a single example of this happening, ever. To interact with IOS or Android requires user approval, or as you point out, a zero-day. An Android would theoretically need to be in developer mode and the user would need to authorize the ADB connection, similar on IOS. This is pure FUD. Who burns a zero-day on a power outlet in a Starbucks?

Show thread

Jim P.Apr 13, 2023

@chetwisniewski @dangoodin @zackwhittaker I'm not aware of a practical example but on Android there are some devices that don't need explicit approval before they can work, like USB keyboards/mice. Though last time I tried one it did notify the user one was connected. But that would mean whatever connected would have to send just the right keystrokes/clicks to perform some task, and good luck making sure it's right for all the different variants of the OS.

Show thread

Mike Garuccio Apr 13, 2023

@jimp @chetwisniewski @dangoodin @zackwhittaker

This would also require the device to be unlocked, and for the user to not touch it while it’s going off and downloading malware, and probably provide their pin or a biometric authorization at least once to accomplish anything real.

Show thread

Mike Garuccio Apr 13, 2023

@jimp @chetwisniewski @dangoodin @zackwhittaker

Oh and btw we’re supposed to worry about this in airports? The most heavily surveilled locations on earth where everyone entering them needs to show ID tied to an identity trail? Some hacker is just going to walk in, disassemble some furniture, install their 0-day, and walk away and no1 is going to notice that?

Show thread

NosirrahSec 🏴‍☠️ guillotine enthusiast Apr 13, 2023

@mgaruccio @jimp @chetwisniewski @dangoodin @zackwhittaker

Yes.

Airports are 90% security theater and 10% luck.

You don't need ID to walk into an airport, only past certain points.

Show thread

Mike Garuccio Apr 14, 2023

@NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker

Large parts of the TSA process are theater, but, you aren’t getting past the security checkpoint without showing ID that matches a boarding pass, and any kind of suspicious activity like taking apart a charge station will attract attention from the army of airport personnel wandering around.

And, assume they manage it, theyre still on video criming, and have, at best, burned a fake identity and a 0 day, for a non-targeted attack.

Show thread

Ariaflame

@mgaruccio @NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker
Wear some sort of official looking shirt and have a tool kit. Nobody is even going to look twice.

Show thread

Mike Garuccio Apr 14, 2023

@ariaflame @NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker

You’re going to bring a tool kit through tsa screening?

And in most places an official looking shirt will allow you avoid scrutiny, but that’s going to raise red flags on your way in and your going to have someone paying attention.

But let’s assume someone pulls it off, eventually it gets discovered, and they’re now on video committing a ton of felonies, and have spent 6 figures+ and have accomplished what?

Show thread

Ariaflame Apr 14, 2023

@mgaruccio @NosirrahSec @jimp @chetwisniewski @dangoodin @zackwhittaker
*shrug* Just noting that social engineering is effective in a lot of situations. But you may be right. I still tend to use them, if at all, to charge the battery bank.

Show thread

Chester Wisniewski 🇨🇦Apr 14, 2023

@ariaflame @mgaruccio @NosirrahSec @jimp @dangoodin @zackwhittaker This isn't really about getting into an airport or avoiding video surveillance, this is about the fact that it doesn't work without extraordinary access/measures and is never proven to have ever happened.