Don't recharge your iPhone using public USB ports, FBI warns
The FBI has again warned the public against using public USB ports to recharge an iPhone, with "juice jacking" attacks infecting mobile devices connected to the ports.
An iPhone's Lightning port
Many people will be familiar with malicious apps and online attacks performed over the Internet, and that physical attacks are possible but rarer. However, despite this apparent knowledge, many still leave their devices open to potential attack by using public recharging points.
In a warning issued via Twitter on April 6, The Federal Bureau of Investigation's Denver office posted a warning to "avoid using free charging stations in airports, hotels, or shopping centers." The FBI believes bad actors have "figured out ways to use public USB ports to introduce malware and monitoring software onto devices."
The idea is that a USB charging point could be compromised by an attacker. Since the public doesn't necessarily believe a seeming power source available for free use could be malicious, the device owners will use the connection without contemplating whether attacks could be made on their hardware.
The concept of a connection-based attack isn't new, as it has been around for many years. It's also not limited just to USB charging points, as a maliciously-crafted cable could even be used to the same effect.
Various US agencies have been warning against "juice jacking" for over a year.
However, it is also possible for the notification to be bypassed, if the attack itself is sophisticated enough.
Furthermore, if you're actively using the iPhone while it is plugged in, you may not necessarily see the prompt at all.
To combat the potential attacks, the FBI recommends using your own charger and USB cable to receive power from an electrical outlet, rather than trust a potentially compromised component.
Read on AppleInsider
An iPhone's Lightning port
Many people will be familiar with malicious apps and online attacks performed over the Internet, and that physical attacks are possible but rarer. However, despite this apparent knowledge, many still leave their devices open to potential attack by using public recharging points.
In a warning issued via Twitter on April 6, The Federal Bureau of Investigation's Denver office posted a warning to "avoid using free charging stations in airports, hotels, or shopping centers." The FBI believes bad actors have "figured out ways to use public USB ports to introduce malware and monitoring software onto devices."
The idea is that a USB charging point could be compromised by an attacker. Since the public doesn't necessarily believe a seeming power source available for free use could be malicious, the device owners will use the connection without contemplating whether attacks could be made on their hardware.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
-- FBI Denver (@FBIDenver)
The concept of a connection-based attack isn't new, as it has been around for many years. It's also not limited just to USB charging points, as a maliciously-crafted cable could even be used to the same effect.
Various US agencies have been warning against "juice jacking" for over a year.
How to protect against "juice jacking"
Apple does include "Trust this device" prompts that appear in iOS and iPadOS when you connect a new accessory to it, which does prevent any data transfers from occurring. If such a notice appears on a device connected to what should be a power-only USB port, you should disconnect it immediately.However, it is also possible for the notification to be bypassed, if the attack itself is sophisticated enough.
Furthermore, if you're actively using the iPhone while it is plugged in, you may not necessarily see the prompt at all.
To combat the potential attacks, the FBI recommends using your own charger and USB cable to receive power from an electrical outlet, rather than trust a potentially compromised component.
Read on AppleInsider
Comments
As for power-only cables, that can be an option, but power delivery is negotiated over the data lines. These cables generally prevent the phone, tablet or laptop from requesting more than the 5W base delivery.
The same logic applies to power banks, chargers, and even charging cables that do not come from a reputable and trusted source. It would be very easy for a bad actor to seed the gas station/truck stop/quickly mart/dollar store sales channels with super cheap power banks, chargers, and cables that contain a payload that gets pushed through a logic-enabled charging port on to a victim’s device. Not picking on the cheapo and knock-off sales channels, but if you weren’t already dissuaded by the possibility of these devices burning down your house perhaps the possibility of infection should give you pause.
Users should be wary of all ingress points into their devices, whether through physical ports or the various network/logical/communication ports including Ethernet, WiFi, USB, Bluetooth, NFC, AirDrop, Email, messaging, FTP, attachments, etc. Your circle of trusted ingress points should be very narrow compared to the number of available ingress points. Having connectivity is very different than establishing a connection, the latter of which should require a trust relationship. This applies to both technology and people.
But, then you have to remember to bring it.
I have a couple kicking around somewhere.
A small power bank is a good thing to have .
Found a great little Zendure SuperMini 5K unit (5000mAh capacity) for my wife, that she loves. Goes everywhere, takes up little space.
https://powerbank.zendure.com/products/supermini-5k
I have one of their SuperMini 10000mAh units. Both are just great. Solid, nice looking.
Once the exploits are patched, they drop to the $30k range, which could be cost-effective to use in a charging station attack in some areas. But at that point, keeping your devices updated protects you.
I've never seen any anywhere.
That really doesn't seem good enough to assume you'll actually find a wireless charging station when you need it, which is usually at the worst possible moment.
You don't then have to leave your phone anywhere public even in one of those locker chargers.