Sophos Cloud Optix
I’m sure you’ve heard of hijacking. These days, it usually refers to the takeover by force of an aircraft in flight.
(The word hijack is more interesting than you might think. No-one seems to know its origin. It first appears in the USA in the early 1920s, years before the first aeroplane hijack. Some say it’s from Prohibition days – to ‘jack’, or rob, someone’s car on the highway. But others insist that ‘jack’ in this sense is formed from the word hijack. If you thought computer security was tricky, try being an etymologist or a philologist.)
As close criminal relations, you’ll also have heard of carjacking, shipjacking and truckjacking. You’ll probably also have heard of analogous computer-related mischief, such as sidejacking, sheepjacking, pagejacking and clickjacking.
Well, now there’s a new one. Juicejacking.
When you stop to think about it, juicejacking is an obvious, surprisingly easy, and potentially very lucrative way to plunder shedsful of personal and corporate data.
But almost no-one did stop to think about it before security trio Brian Markus, Joseph Mlodzianowski and Robert Rowley. They thought about it, and decided on a practical and public demonstration to raise awareness at this year’s DEFCON conference in Las Vegas.
You’ve almost certainly seen potential juicejacking systems: those ‘charge your mobile phone here’ kiosks that can be found in shopping centres, airports, hotel lobbies and more. You find the charging adaptor which fits your phone, perhaps pay a small fee, plug in your device and lock it to the kiosk. By the time your flight has been called, or your room is ready, or you’ve finished your shopping, your phone is recharged and ready to use. Phew! That’s your Twitter separation anxiety under control!
But what if – and this is an enormous if – your mobile phone adaptor is a combination power-and-data connection? These days, it almost certainly is, especially if your device uses a regular USB connector.
Depending on your phone’s configuration, you could be paying for your power recharge by yielding up some, most or all of the data on your device.
I’ve not heard of this attack being used in the wild. But if entire fake Apple and even IKEA stores can spring up in China, it’s not hard to imagine that fake, or at least booby-trapped, charging stations might appear anywhere in the world.
Plugging your phone into an untrusted USB cable is, indeed, a security risk. Likewise, letting someone else plug their phone into one of your USB ports is a security risk.
Fortunately, it’s easy to avoid the risk in both directions:
* When charging your phone from an unknown USB port, or charging an unknown phone from your own USB port, use a power-only USB cable. USB plugs have four or five connecting wires. The outermost two are for power; if your cable has two or three of the inner two or three middle wires missing, it can’t carry data, only power.
(Note. Modern devices generally charge more slowly on a power-only connection. This is for electrical safety. Ironically, to enable full-power charging, an exchange of USB data between the device and the charging host is required in order to negotiate the charging current up from the minimum 100mA.)
* Always carry and use the charging adaptor which came with your device. In most airports, you’ll find power outlets dotted around all over the place – the cleaning staff need them. Modern adaptors are so small that they’re easy to keep permanently in your carry-on luggage.
(Hint. Look for beardy blokes sitting in the lotus position and tapping away on power-hungry 17″ Macbooks. They’ll be slightly away from the departure gates, halfway along a corridor, or right next to a vending machine. They’ve already found the power.)
* If you can, configure your device always to require a password before enabling the data-transfer features of the charging port. This is good general practice, as it stops you synching unless you really mean to.
* In a hotel, try the concierge. Laptop and phone adaptors are amongst the most commonly-lost items by travellers. Hotels often keep a stash of these so they can help the next guy.
(Warning. If you’re really serious about security, you won’t even trust an unknown adaptor. But it’s a lot safer than trusting an unknown cable hanging out of an unknown cabinet in a public place.)
* In a real emergency, buy a battery-powered recharger. They’re pocket-sized, so you don’t get much juice out of them, but you should get enough to phone around to find a shop where you can buy a replacement wall adaptor.
Happy travelling.
–
Notes on changes in this article. I added, then removed, a suggestion to power your phone off completely before charging it as a way of entering power-but-no-data mode. A comment below from @Paul suggests that even with your phone off, some devices may use USB bus power to give access to your memory cards. Also, the sheer difficulty of describing generically how to perform a genuine fullpower-down (short of removing the battery, which means you can’t charge it anyway) made me decide that this advice was neither safe nor practicable.
Probably no one thought of doing this with kiosks until this article was published. Good job.
Not sure if you mean to be complimentary (I've helped the Good Guys avoid potential trouble) or ironic (I've given the Bad Guys an idea they'd never have thought of otherwise).
Whichever is the case, I sadly can't take credit because I wrote this about someone else's research, thinking and work (Brian Markus, Joseph Mlodzianowski and Robert Rowley at the recent DEFCON 2011 event in Las Vegas).
Because internet kiosks and cafes are already a happy hunting ground for cybercrooks, I doubt that Markus et al. were the very first to think of it. But they were the first to devise a practical and media-savvy way of raising awareness of the possible risks. And that definitely counts as a "good job" IMO.
Please don’t risk your data security by way of cool dismissive naiviety – it may not yet be commonplace but then how commonplace would you prefer it to be before someone blows the whistle? …right after you’ve lost company data ?! Good job Sophos, keep it up for those of us with sensible concerns for our data safety.
Well, thanks to Apple's insistance that they have a non-standard (actually, I guess it has become a standard since so many modern accessories, upto and including motor vehicles, support it) dock to USB adapter for all their devices, you have no easy access to option 1 (power only USB cable).
Carry a charger and leech free power from the airport corporation is my answer.
S
You're not a beardy bloke with one of those max-power Macbooks, are you π
Apple's cable is only non-standard on the device end; the other end is standard USB. If you look inside, you'll see 4 metal contact strips — just get a cheap cable (you can get knockoffs that wind on a spool for compact storage for $3 or so) and either tape over or snip off the middle contacts. Voila… you've got yourself a power-only cable.
Modifying an Apple USB cable to remove the data lines will probably prevent the device from even charging at all, instead giving you the orange "Charging not supported" warning.
Why not just turn the phone off and charge it while off? The phone still charges, not sure if it will negotiate the higher amperage though since no data exchange occurs. It seems my phone charges at the same rate regardless of turned on or not.
Another thing you can use in an absolute emergency (as long as you have juice left that is) is your laptop. You can use your USB port on the laptop to supply power to the phone so you can at least use it to communicate.
Er, why not indeed π
I ought to have put that in my list, so I will do so now.
(One reason 'power-down' is unpopular is that some devices take several minutes to cold boot – my BlackBerry, for instance. So a quick charge with the radio off to save power is easier if you want to grab your phone back from the kiosk and be able to use it immediately. Security vs. Convernience again.)
(Replying to self.) Changed my mind again – see @Paul's comment below. Reaching "full power off status with battery still plugged in" seems such a variable target that I'm removing this advice and updating the article again.
Awesome, now I know never to trust anything anywhere.
The wifi at the hotel? Tracked!
The power adapters? Rigged to make your phone explode!
The beds? Embedded with accelerometers!
The taxi driver? Probably works for Google to mail to targeted ads?
The hotel? Keeps your credit card number, forever!
Totally off the point of the article, but you forgot skyjacking on your list.
Technically, I didn't _forget_ skyjacking – I've just never heard the word before.
Is that the hijacking of a spacecraft?
I've heard it used to refer to both aeroplane hijacking and satellite communications hijacking.
Lol, unluckily juice defender (battery saver on android system) cannot save the day π Though kiosks are uncommon here, thanks for really useful information.
Scarily obvious when you think about this, have only used one of these once before but will now certainly think twice before using again if I can help it and definitely power off beforehand. 2 minutes inconvenience of powering up is nothing compared to hours (or longer) of frustration from data loss or theft.
One thing that did confuse me though was "* When charging your phone from an unknown USB port, or charging an unknown phone from your own USB port, use a power-only USB cable. USB plugs have four or five connecting wires. The outermost two are for power; if your cable has two or three of the inner two or three middle wires missing, it can't carry data, only power."
Never seen a usb cable that resembles what you describe here, is that because we're different in the UK or something? If not a photo of what you mean would be tops!
Cheers
Would like to point out that I have 2 phones that when powered off and plugged into a Windows PC charge normally without data transfer.
However when I plug those same phones into my PC running Ubuntu I can access not only the SD card and the memory on the phone but the small part that it uses to run (Similar to Windows system32 folder). Although there is not a lot in this small piece of system ram I do have the feeling that it could be altered to make the phone unusable.
Yikes. I've been checking this power-off thing with my BlackBerry and it's so hard to describe how to do a _full_ power off (short of removing the battery, which means you can't charge it) that I'm now going to remove the power-off advice I decided to add above, and update the article again!
If you switch off an iPhone then plug it into power it switches back on…
However the only data you can access, without forcing it into DFU mode (which can be done using the cable since it's how iTunes upgrades iOS) is the part of the phone where the camera images are stored.
How about dumb phones?
When I plug my SE K800i to the PC it asks me if I want to switch to file transfer mode or phone mode. But by default, it opts to phone mode and you would need the SE suite to transfer file.
I tend to use a portable phone changer by Powemonkey. Also, I have a phone charger (socket) in my back pack. However, be careful as some establishments CHARGE you for using their power. In my library, there are signs on the power socket that they charge £0.50 per hour that you use their socket π
Reminds me of the short story "The Brave Little Toaster" by Thomas Michael Disch:
«Electricity is very dangerous. Never play with old batteries. Never put your plug in a strange socket! And if you are in any doubt about the voltage of the current where you are living, ask a major appliance.»
Haha the lotus position – never heard it called that before but it's so true. I did it last year at Gatwick :o)
Some PC connectors are even worse: Firewire protocol allows DMA, i.e. direct access to your computer's memory. Not only the disk.
Many phones need these full connected usb. They refuse charge if cannot use 500mA current what need all connected usb.
I'm tempting to break out a micro USB extension cable, cut it open, then cut the data wires now so I can take it travelling and charge off these kiosks without fear of my data being ransacked.
It should be added that Android doesn't automatically mount the file system when plugged into USB, however if someone REALLY wanted to get to your data, they could reboot your device (I'm assuming that they can get into these locked containers), put it into the bootloader, and I believe that it's possible to mount the file system from there, all without having to unlock the device – though I've only played with HTC Android devices. Other devices are likely to have their own bootloaders with their own capabilities and quirks. I wouldn't exactly call it a prevalent security risk, since it's unlikely they're going to keep track of every method of breaking into a phone's data for every phone.
Though it'd be pretty easy to make a database of the USB ID tags and pull the right guide up every time someone plugged in a device. Maybe I'm overthinking this a little though.
Potentially more dangerous for me where I've set Mass storage to get enabled as soon as a USB cable's connected.
Often the electrical outlets at airports are all occupied by bearded guys in lotus positions. It is a good idea to carry a small power strip, or similar device. That way you can share the plug with the bearded guys, rather then waiting for them to abandon it which they almost never do.
Been there! Do that!
One double-win way to safeguard your phone from dataleeching USB-Chargers: get a USB powerbank (battery to boost your phone off-net, which itself can usually be charged via USB too).
The power outlet charges powerbank (which does not have any data on it), which then charges the phone. Additionally you get more charges than just the one from the time on the cable as the power banks usually have 1-4x the phone’s capacity.