Don't recharge your iPhone using public USB ports, FBI warns

Posted:
in iPhone
The FBI has again warned the public against using public USB ports to recharge an iPhone, with "juice jacking" attacks infecting mobile devices connected to the ports.

An iPhone's Lightning port
An iPhone's Lightning port


Many people will be familiar with malicious apps and online attacks performed over the Internet, and that physical attacks are possible but rarer. However, despite this apparent knowledge, many still leave their devices open to potential attack by using public recharging points.

In a warning issued via Twitter on April 6, The Federal Bureau of Investigation's Denver office posted a warning to "avoid using free charging stations in airports, hotels, or shopping centers." The FBI believes bad actors have "figured out ways to use public USB ports to introduce malware and monitoring software onto devices."

The idea is that a USB charging point could be compromised by an attacker. Since the public doesn't necessarily believe a seeming power source available for free use could be malicious, the device owners will use the connection without contemplating whether attacks could be made on their hardware.

Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T

-- FBI Denver (@FBIDenver)


The concept of a connection-based attack isn't new, as it has been around for many years. It's also not limited just to USB charging points, as a maliciously-crafted cable could even be used to the same effect.

Various US agencies have been warning against "juice jacking" for over a year.

How to protect against "juice jacking"

Apple does include "Trust this device" prompts that appear in iOS and iPadOS when you connect a new accessory to it, which does prevent any data transfers from occurring. If such a notice appears on a device connected to what should be a power-only USB port, you should disconnect it immediately.

However, it is also possible for the notification to be bypassed, if the attack itself is sophisticated enough.

Furthermore, if you're actively using the iPhone while it is plugged in, you may not necessarily see the prompt at all.

To combat the potential attacks, the FBI recommends using your own charger and USB cable to receive power from an electrical outlet, rather than trust a potentially compromised component.

Read on AppleInsider

Comments

  • Reply 1 of 13
    I'm surprised the author or the FBI didn't recommend data blocking USB adapters. They're a very inexpensive solution.
    edited April 2023 dewmebala1234baconstangwatto_cobrajony0
  • Reply 2 of 13
    chutzpahchutzpah Posts: 392member
    This is where those USB cables that are only good for power would come in handy.
    watto_cobra
  • Reply 3 of 13
    zimmiezimmie Posts: 651member
    Note that the FBI doesn't claim to have any evidence of such an attack ever actually happening. Keep your device updated, and this isn't a concern. Nobody is going to burn a million-dollar exploit on people who need to charge at a semi-public charging station rather than an outlet they control.

    As for power-only cables, that can be an option, but power delivery is negotiated over the data lines. These cables generally prevent the phone, tablet or laptop from requesting more than the 5W base delivery.
    watto_cobra
  • Reply 4 of 13
    dewmedewme Posts: 5,553member
    This is very good information. I’ve never used these types of public charging stations mostly because I don’t trust the quality and integrity of the electrical charging circuitry. Knowing that these charging points could also contain nefarious logic only adds greater rationale for not plugging into them.

    The same logic applies to power banks, chargers, and even charging cables that do not come from a reputable and trusted source. It would be very easy for a bad actor to seed the gas station/truck stop/quickly mart/dollar store sales channels with super cheap power banks, chargers, and cables that contain a payload that gets pushed through a logic-enabled charging port on to a victim’s device. Not picking on the cheapo and knock-off sales channels, but if you weren’t already dissuaded by the possibility of these devices burning down your house perhaps the possibility of infection should give you pause.

    Users should be wary of all ingress points into their devices, whether through physical ports or the various network/logical/communication ports including Ethernet, WiFi, USB, Bluetooth, NFC, AirDrop, Email, messaging, FTP, attachments, etc. Your circle of trusted ingress points should be very narrow compared to the number of available ingress points. Having connectivity is very different than establishing a connection, the latter of which should require a trust relationship. This applies to both technology and people. 
    edited April 2023 watto_cobra
  • Reply 5 of 13
    DAalsethDAalseth Posts: 2,867member
    Only relying on wireless charging is a solution. 
    watto_cobra
  • Reply 6 of 13
    zimmie said:
    Note that the FBI doesn't claim to have any evidence of such an attack ever actually happening. Keep your device updated, and this isn't a concern. 
    Right, because letting something bad happen first is always better than getting ahead of it. Keeping your device updated won't do jack against this kind of attack.
    ronnbaconstangwatto_cobra
  • Reply 7 of 13
    You can get a Lightning adaptor that ONLY has power connections. There are no data connections.
    But, then you have to remember to bring it.

    I have a couple kicking around somewhere.

    A small power bank is a good thing to have .
    Found a great little Zendure SuperMini 5K unit (5000mAh capacity) for my wife, that she loves. Goes everywhere, takes up little space.
    https://powerbank.zendure.com/products/supermini-5k

    I have one of their SuperMini 10000mAh units. Both are just great. Solid, nice looking.
    edited April 2023 ronnRestrained_Nicholasbaconstangwatto_cobrajony0
  • Reply 8 of 13
    netroxnetrox Posts: 1,464member
    That's why Apple's new iPhone 15 with USB-C ports will likely not accept any data if the cable is not certified for Apple. It will only work for power recharging since data will likely be disabled making the attack impossible. 


    dewmewatto_cobra
  • Reply 9 of 13
    zimmiezimmie Posts: 651member
    zimmie said:
    Note that the FBI doesn't claim to have any evidence of such an attack ever actually happening. Keep your device updated, and this isn't a concern. 
    Right, because letting something bad happen first is always better than getting ahead of it. Keeping your device updated won't do jack against this kind of attack.
    Did you not read the very next sentence in my comment? Exploits that can read an iPhone's data over USB without approval are worth about $400k each. Exploits which can drop malware on an iPhone over USB without user approval are worth upwards of $1M each. As SwiftOnSecurity said, nobody's burning that level of exploit on people who take the bus. Somebody might burn it at DEF CON or Black Hat ahead of giving a presentation on the exploit, but that's about it. State actors have access to this level of exploit, but they would only use it in a targeted way rather than an indiscriminate watering hole attack.

    Once the exploits are patched, they drop to the $30k range, which could be cost-effective to use in a charging station attack in some areas. But at that point, keeping your devices updated protects you.
    watto_cobra
  • Reply 10 of 13
    What if you turn the iPhone off before charging it? Also, I'm going to guess that the chargers on airplanes are less likely to get hacked?
    watto_cobra
  • Reply 11 of 13
    DAalseth said:
    Only relying on wireless charging is a solution. 
    Where will you find wireless charging stations?
    I've never seen any anywhere.

    That really doesn't seem good enough to assume you'll actually find a wireless charging station when you need it, which is usually at the worst possible moment.
    edited April 2023 watto_cobra
  • Reply 12 of 13
    chasmchasm Posts: 3,431member
    DAalseth said:
    Only relying on wireless charging is a solution. 
    Where will you find wireless charging stations?
    I've never seen any anywhere.

    That really doesn't seem good enough to assume you'll actually find a wireless charging station when you need it, which is usually at the worst possible moment.
    I see Qi charging points on many tables at big-city Starbucks, just as an example. Many hotels are starting to offer these as well.
    watto_cobra
  • Reply 13 of 13
    mattinozmattinoz Posts: 2,394member
    I'm surprised the author or the FBI didn't recommend data blocking USB adapters. They're a very inexpensive solution.
    Power bank works just as well as a data blocker and once recharged you can take it with you for an extra top up later or another device. 
    You don't then have to leave your phone anywhere public even in one of those locker chargers. 
    baconstangwatto_cobra
Sign In or Register to comment.