Beware of Juice Jacking when charging mobile phones at public charging stations

Advisory ID: NCC-CSIRT-0122-0001 

Summary: Attackers have found a new way to gain unauthorized entry into unsuspecting mobile phone users when they charge their mobile phones at public charging stations. Many Public spaces, restaurants, malls and even in the public trains offer complementary services to their customers in a bid to enhance customer services. One of which is providing charging ports or sockets. An attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations. Once the victim plugs their phone at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone. This payload then gives the attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, audio using the microphone, the attacker can even watch the victim in real time if the victims’ camera is not covered. The attacker is given full access to the gallery and also to the phone's GPS location. 

Vulnerable Platform(s): All Mobile Phones 

Threat Type: Bypass authentication, Data Theft, Denial of Service, Remote Code Execution, Unauthorized access. 

Description: When an attacker gains unauthorized access to the victim's mobile phone using a payload, it gives the attacker remote access to the victim's mobile phone, which allows him to monitor data transmitted as text, listen and record audio using the microphone, the attacker can even watch or record the victim in real time if the victims camera is not covered all while the victim is unaware. The attacker may also have access to the victim's GPS location, call logs and system processes.

Symptoms

• Sudden spike in battery consumption.
• Device operating slower than usual.
• Apps taking a long time to load ad when they load they crash frequently.
• Abnormal Data Usage.

Consquences: When an attacker gains access to a user’s Mobile phone, he gets remote access to the User’s phone which lead to breach in confidentiality, Violation of Data Integrity and bypass of Authentication Mechanisms. 

Impact/Probability: HIGH/MEDIUM

Solution: Use only charging only USB cable, to avoid USB data connection. Only use your own AC charging adaptor in public spaces. Do not grant trust if portable devices prompt for USB data connection. Install Antivirus and update them to the latest definitions always. Keep mobile devices up to date with the latest patches. Use your own power bank. Keep mobile phone off when charging in public places. If you have to charge in public, Use your own charger.

References

• https://www.hkcert.org/my_url/en/blog/20022801
• https://www.geeksforgeeks.org/what-is-juice-jacking/
• https://timesofindia.indiatimes.com/blogs/tastefully-contemporary/beware-of-juice-jacking-a-new-way-to-steal-your-data/
• https://securityintelligence.com/articles/is-juice-jacking-a-legitimate-threat-or-nothing-to-worry-about/