Juice Jacking

You’re at Airport, Shopping mall or restaurant, your smartphone needs charging and yet again you’re promising–just plug your phone in and get the sweet, sweet, energy you crave. What could possible go wrong, right? Well you might become victim of Juice Jacking. Read further to understand more about Juice Jacking.
miles away from home and suddenly you find a public charging kiosk is looking pretty
Regardless of the kind of smartphone you have, whether it’s an Android, iPhone or BlackBerry, there is one common feature across all phones: the power supply and the data stream pass over the same cable. This setup allows for juice jacking during the charging process whereby user access is gained on your phone by leveraging the USB data/power cable to illegitimately access your phone’s data and/or inject malicious code onto the device.

The Concept behind Juice Jacking

The concept is simple, leading smart phones on the market have been designed to utilize the same

port for charging the phone as data transfer. This opens the opportunity to trick a user in need of a charge to expose their phone's data port. The attack encompasses many facets of information security, including security design, user awareness, and attacks against system design/code, as well a bit of social engineering. With juice jacking, the vulnerability or attack vector is the phone's USB port; the exposure factor is dependent on the user's awareness of this possible attack method and their phone's battery life. When these two factors come together, the unsuspecting user plugs their phone into a malicious system; the attack is able to take place. In the age where business executives travel regularly, and depend on access to their phones to respond to emails, check their schedule, etc... (Basic work functionality) this vector may come up more often than people presume. Luckily, this attack is entirely theoretical. There is no reason to presume the kiosks filling airports are inherently malicious. The proof of concept exists though, which is why it's a concern and a defense should be put in place.

More about Juice Jacking

The attack could be as simple as an invasion of privacy, wherein your phone pairs with a computer concealed within the charging kiosk and information like private photos and contact information are transferred to the malicious device. The attack could also be as invasive as an injection of malicious code directly into your device. This sort of exploit is hardly a new blip on the security radar, however. Two years ago at the 2011 DEF CON security conference, researchers from Aires Security, Brian Markus, Joseph Mlodzianowski, and Robert Rowley, built a charging kiosk to specifically demonstrate the dangers of juice jacking and alert the public to just how vulnerable their phones were when connected to a kiosk–the image above was displayed to users after they jacked into the malicious kiosk. Even devices that had been instructed not to pair or share data were still frequently compromised via the Aires Security kiosk.

Currently juice jacking is a largely theoretical threat, and the chances that the USB charging ports in the kiosk at your local airport are actually a secret front for a data siphoning and malware-injecting computer are very low. This doesn’t mean, however, that you should just shrug your shoulders and promptly forget about the very real security risk that plugging your smartphone or tablet into an unknown device poses.

Protecting yourself against Juice Jacking

1.    Keep your devices topped off when using a public kiosk point.
2.    Carry a personal wireless charger.
3.    Carry a backup phone charger which is fully charged.
4.    Lock your phone
5.    Power down the phone when using Public charging points
6.    Use hardware protection like using USB Condoms (Get One from SyncStop).

References

http://www.wallofsheep.com/pages/juice
http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/
http://www.howtogeek.com/166497/htg-explains-what-is-juice-jacking-and-how-worried-should-you-be/
http://www.techadvisory.org/2014/09/whats-juice-jacking/