FBI warns of ‘juice slot’ at public USB charging stations
The FBI office in Denver is warning consumers against using free public charging stations, warning that bad actors can use USB ports where the juice stops to inject malware and surveillance software into devices.
“Bring your own charger and USB cable and use an electrical outlet instead,” the agency advised in a recent tweet.
Juicing has been around for a decade, though no one knows how widespread the practice is.
“There’s been a lot of talk about him being in the public eye, but not in the public eye,” said Brian Marcus, CEO of Aries Security, a Wilmington-based security research and education company. , His. Marcus and his colleague Robert Rowley first demonstrated juicing in 2012.
“Juice chargers are like ATM skimmers,” Marcus told TechNewsWorld. “We hear a lot about them, but we don’t necessarily see them.”
Do not use free charging stations at airports, hotels or shopping malls. Malicious actors have found ways to use public USB ports to inject malware and surveillance software into devices. Bring your own charger and USB cable and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
He explained that someone who wanted to hack a legitimate electric charging station could replace the station’s cable with a tampered cable containing a chip that could install a remote phone access trojan or backdoor. Then the phone can be attacked anytime on the Internet.
“This is especially common on Android phones running older versions of the operating system,” Markus said. “That’s why it’s important for users to keep their devices updated.”
There seem to be conflicting opinions in the security community about the importance of the risk to consumers.
“In general, it’s not very common because using a remote charger is not something people do very often,” said Bud Broomhead, CEO of software solutions developer Viakoo. Cyber Security and Physical Security in Mountain View, CA.
“However, if someone is using the charging system beyond their control, the warning issued by the FBI should force them to change their behavior, as the number of cases is increasing,” he told TechNewsWorld.
Aviram Jenik, president of Apona Security, a Roseville, Calif.-based source code security firm, believes that juicing is “very common.”
“We don’t have the numbers because the devices are usually in places where people don’t stay for long periods of time, so it’s easy to plant a malicious device and then retrieve it,” he told TechNewsWorld. .
“This has been happening for several years now and the appearance of charging stations infected with malware is almost constant,” he added.
“As charging gets more and more advanced — meaning data is transferred over the same wires that transfer the charge — it gets worse,” he said. “When the target value is high—for example, an electric car compared to a cell phone—the stakes are high.”
Jenick said another future development would be wireless charging, which would allow attackers to attack without anyone seeing the physical device being hacked.
A two-way communication problem
A sapsucker is more likely to occur in areas frequented by interested parties, such as politicians or intelligence agency officials, said Andrew Barratt, general manager of solutions and investigations at Coalfire, a Westminster, Colorado-based cybersecurity consulting services provider.
“For a juicing attack to be effective, it must deliver a very sophisticated payload capable of bypassing the phone’s security measures,” he told TechNewsWorld.
“Honestly,” he continued, “I’d be more concerned if the outlets were used so much that they damaged my wiring or phone jack.”
A juice slot uses USB technology for malicious purposes. “The problem is that USB ports allow two-way communication, not only for power charging, but also for data transfer. That’s how a USB device can transmit images and other data when it’s plugged in,” explained Roger Grimes, security evangelist at KnowBe4, a Clearwater, Fla.-based security awareness training provider. .
“The USB port was never designed to prevent extended malicious commands from being sent over the data channel,” he told TechNewsWorld. “Many USB port security has improved over the years, but there are still other avenues of attack, and most USB-enabled devices allow the charging port to declare itself as an older version of the USB port standard, so some of the newer security features are no longer available.
Will electric cars be next?
JT Keating, senior vice president of strategic initiatives at Dallas-based mobile security solutions provider Zimperium, warned consumers to be wary of free solutions masquerading as “public” services.
“When hackers trick people into using fake Wi-Fi networks and fake power stations, they can compromise devices, install malware and spyware, and steal data,” he told TechNewsWorld.
“This trend will continue and grow as more people connect to charging stations for their electric vehicles,” he continued. “By compromising an EV charging station, attackers can compromise by stealing payment information or creating a ransomware variant that disables the stations and prevents them from charging.”
Coalfire’s Barratt noted that electric vehicle charging stations have been a concern for some time, but the issues are theft of payments or free use of the stations.
“In the long term,” he said, “I think the concern is that as the world moves to EV chargers, we’re going to continue to see more attacks on these chargers.”
“When we had payphones, they were attacked,” he continued. ATMs and gas pumps are regularly attacked. Anything of value that is desperately needed in an uncontrolled environment has the potential to be profitable for cyberthieves to exploit.
Avoid becoming a victim of a juice extractor
Ever since Marcus and Rowley introduced the world to juicing, things have gotten better for hitters. For example, wireless connectivity has been added to the charging ports.
“When we first did this, we had a full laptop on the charging station and it did a lot of work,” Marcus said. “Currently, the amount of computing power to do exactly that is very small.”
The FBI isn’t the only ABC agency sounding the alarm about the sap. The FCC has previously warned consumers against this practice. To avoid falling prey to juicers, he recommends the following:
- Do not use a USB charging station. Use an AC outlet instead.
- Bring your own AC, car chargers, and USB cables when traveling.
- Bring a portable charger or power bank.
- Consider carrying a charging-only cable that doesn’t allow you to send or receive data while charging from a trusted provider.
All news on the site does not represent the views of the site, but we automatically submit this news and translate it through software technology on the site rather than a human editor.