I’m sure you’ve heard of hijacking. These days, it usually refers to the takeover by force of an aircraft in flight.
(The word hijack is more interesting than you might think. No-one seems to know its origin. It first appears in the USA in the early 1920s, years before the first aeroplane hijack. Some say it’s from Prohibition days – to ‘jack’, or rob, someone’s car on the highway. But others insist that ‘jack’ in this sense is formed from the word hijack. If you thought computer security was tricky, try being an etymologist or a philologist.)
As close criminal relations, you’ll also have heard of carjacking, shipjacking and truckjacking. You’ll probably also have heard of analogous computer-related mischief, such as sidejacking, sheepjacking, pagejacking and clickjacking.
Well, now there’s a new one. Juicejacking.
When you stop to think about it, juicejacking is an obvious, surprisingly easy, and potentially very lucrative way to plunder shedsful of personal and corporate data.
But almost no-one did stop to think about it before security trio Brian Markus, Joseph Mlodzianowski and Robert Rowley. They thought about it, and decided on a practical and public demonstration to raise awareness at this year’s DEFCON conference in Las Vegas.
You’ve almost certainly seen potential juicejacking systems: those ‘charge your mobile phone here’ kiosks that can be found in shopping centres, airports, hotel lobbies and more. You find the charging adaptor which fits your phone, perhaps pay a small fee, plug in your device and lock it to the kiosk. By the time your flight has been called, or your room is ready, or you’ve finished your shopping, your phone is recharged and ready to use. Phew! That’s your Twitter separation anxiety under control!
But what if – and this is an enormous if – your mobile phone adaptor is a combination power-and-data connection? These days, it almost certainly is, especially if your device uses a regular USB connector.
Depending on your phone’s configuration, you could be paying for your power recharge by yielding up some, most or all of the data on your device.
I’ve not heard of this attack being used in the wild. But if entire fake Apple and even IKEA stores can spring up in China, it’s not hard to imagine that fake, or at least booby-trapped, charging stations might appear anywhere in the world.
Plugging your phone into an untrusted USB cable is, indeed, a security risk. Likewise, letting someone else plug their phone into one of your USB ports is a security risk.
Fortunately, it’s easy to avoid the risk in both directions:
* When charging your phone from an unknown USB port, or charging an unknown phone from your own USB port, use a power-only USB cable. USB plugs have four or five connecting wires. The outermost two are for power; if your cable has two or three of the inner two or three middle wires missing, it can’t carry data, only power.
(Note. Modern devices generally charge more slowly on a power-only connection. This is for electrical safety. Ironically, to enable full-power charging, an exchange of USB data between the device and the charging host is required in order to negotiate the charging current up from the minimum 100mA.)
* Always carry and use the charging adaptor which came with your device. In most airports, you’ll find power outlets dotted around all over the place – the cleaning staff need them. Modern adaptors are so small that they’re easy to keep permanently in your carry-on luggage.
(Hint. Look for beardy blokes sitting in the lotus position and tapping away on power-hungry 17″ Macbooks. They’ll be slightly away from the departure gates, halfway along a corridor, or right next to a vending machine. They’ve already found the power.)
* If you can, configure your device always to require a password before enabling the data-transfer features of the charging port. This is good general practice, as it stops you synching unless you really mean to.
* In a hotel, try the concierge. Laptop and phone adaptors are amongst the most commonly-lost items by travellers. Hotels often keep a stash of these so they can help the next guy.
(Warning. If you’re really serious about security, you won’t even trust an unknown adaptor. But it’s a lot safer than trusting an unknown cable hanging out of an unknown cabinet in a public place.)
* In a real emergency, buy a battery-powered recharger. They’re pocket-sized, so you don’t get much juice out of them, but you should get enough to phone around to find a shop where you can buy a replacement wall adaptor.
Notes on changes in this article. I added, then removed, a suggestion to power your phone off completely before charging it as a way of entering power-but-no-data mode. A comment below from @Paul suggests that even with your phone off, some devices may use USB bus power to give access to your memory cards. Also, the sheer difficulty of describing generically how to a genuine fullpower-down (short of removing the battery, which means you can’t charge it anyway) made me decide that this advice was neither safe nor practicable.
Leave a reply