Dan GoodinRemember those unwarranted warnings about juice jacking in airports from public phone charging kiosks at airports and other venues? The misinfo isn't just repeated by the FCC and other government agencies. Security snake oil companies like Osomprivacy (osomprivacy.com) also do it. This email promoting the completely unnecessary "privacy cable" even cites an article I wrote 2 months ago explaining why juice jacking is BS. When I pointed out to him that he was spreading misinfo, he only doubled down. I will be staying as far away from Osomprivacy as possible.
lj·rk@dangoodin What frustrates me more is that there's a real threat through USB, but not through friggin' public ports >.< This is such a complex setup, you can get the same result much more easily:
Give away/drop/replace malicious USB cables. People will use these to actually indeed connect devices for data transfer (thus allow the connection) and you can MITM a lot of shit through that. It's still maybe a bit paranoid but *much* more realistic than anyone setting up malicious charging ports and going through the trouble of making them look official.
@ljrk If you read my Ars post (linked in my earlier toot) you'll see that there is currently no known way to use malicious cables to MiTM a device without requiring the user to take a bunch of unusual actions. I don't see much evidence of much of threat here.
@dangoodin This one?
https://arstechnica.com/information-technology/2023/05/fearmongering-over-public-charging-stations-needs-to-stop-heres-why/
I don't see anything there on that, except those two paragraphs which aren't really related:
> _“[…] In some cases, criminals may have intentionally left cables plugged in at charging stations. There have even been reports of infected cables being given away as promotional gifts.”_
and:
> _Left out of the advisories is that modern iPhones and Android devices require users to click through an explicit warning before they can exchange files with a device connected by **standard cables**._
(bold: mine). That's exactly not the scenario I and the original source above described. I even said that those cables would require user action, but I wouldn't say "data transfer" is unusual if that's *exactly what the user wants to do*.
Idk, we do attack devices at customers that way, and quite successfully so. But yes, I do not know how frequent this happens IRL, only how "realistic" or easy it is. Building a fake power dock? That's... determination. But handing out MITM cables? That's just like Bad USB attacks, surprisingly easy to pull off.
@ljrk Apologies if I'm misunderstanding what you were saying. I'm just trying to point out that the use of malicious cables to infect mobile devices is extremely difficult. Specifically:
"There are some major limitations, however, that make the O.MG Cable and similar hacking tools unsuitable for the kind of opportunistic juice jacking the FCC and FBI warnings envision. First, the script must be tailored to the specific model of hardware being attacked. The script needed to hack a Samsung Galaxy phone will be different from the one needed to hack a Motorola. A script targeting an iPhone would be altogether different.
That means it’s infeasible, if not impossible, to create a malicious charging station that could hack more than a very small number of phones in use today. That still leaves open the possibility of a fake charging station that targets, say, only iPhone 14 or Pixel 7 models, but it significantly limits the reach of such attacks.
Another shortcoming is that the OTG adaptor turns the phone into a USB host, meaning the phone—which is already running low on battery power—must supply power to the cable rather than the other way around. This limitation undermines the whole subterfuge of a charging station and may also kill the remaining battery life before an attack has a chance to progress.
For iPhones, the O.MG cable is even more poorly suited to juice jacking. For one, iPhones require users to enter a password (or provide a facial scan) before an app will install. (The Pixel 7 I tested did not; some Android devices may.) That requirement significantly limits the effectiveness of the attack.
Additionally, the O.MG cable works only on Apple devices equipped with a USB-C connector. To hack an iOS device with a Lightning connector, a juice jacker would need an additional Lightning adapter that would be physically obvious to the person using the booby-trapped charger.
There are at least two other theoretically possible methods. One is targeting the debugging interface of the connected phone. There are several off-the-shelf products that allow hackers to interact with the debug interface on phones. For iPhones, there's the Tamarin "cable," but that has an easy-to-spot Raspberry Pi hanging off of it. Also problematic: Like the O.MG, these devices can't charge a phone when they're accessing the file system of the connected device.
The other possible method uses newer, more experimental types of hardware that allow charging even while turning the iPhone into a USB Host. This video demonstrates a prototype of such hardware.
Finally, besides there being no universal script that will work on hundreds or even dozens of different devices, the customized scripts are non-trivial to write. They require a high skill level and a huge amount of trial-and-error troubleshooting."
It may be easier to use something like an O.MG cable to infect a macOS or Windows device, though.
@dangoodin Don't worry, I think the primary difference is that we're talking infection of a device vs. MITM of two victim devices, e.g., a malicious cable between a victims phone and laptop. They want to transfer data (thus clicking "allow" on various popups) and the attacker can sniff and/or inject commands.
It *is* much more difficult to actually infect the mobile device fully (e.g., installing a malicious app). The distinction between those two different attacking modes isn't that clear in this quote. At the same time I must say that reasons like
- you need different scripts per target
- high skill required
are bullshit reasons IMHO. First, I can simply detect which device is on the other side and select my script based on that. There are a lot of scripts online to source from, so I don't even need to write them myself. And yes, a certain skill level above "script kiddie" is required but there are enough of those people out there 0:-)
Further, things like "it's actually consuming energy" are reasons that don't really matter IMHO, the attack would ideally be quick and the mode changed afterwards. Users tend not check their phone immediately whether it actually has charged continuously.
The other difference is not about the goal but about the method chosen...
@dangoodin While we established that the goal "MITM" is much more feasible than "infection", the method can also have an impact. The "traditional" juice jacking scenario I'd consider unlikely as well: Building such a power station is quite elaborate investment with dubious pay off. Simply floating some cables *regardless* of an attacker controlled station is a different thing though. This plus doing a MITM attack is quite feasible.
If one was to carry out an attack through a malicious station though, the reason that there's a RasPi hanging down from the other side doesn't really float to me. That's... hidden.
So to me the matrix is:
Goal: MITM vs infection. The former is quite easy as there's no real vulnerability in the OS to exploit, the latter does require some actual software exploitation.
Method: cable vs. station. Through a cable is rather effortless but has its limits, a custom "fake" station is high effort but possibly very high impact.