Pointed out that the warning of 'juice jacking' that hacks smartphones via public charging stations is nonsense
In April 2023, the US Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) issued a warning about ``
Those scary warnings of juice jacking in airports and hotels?
https://arstechnica.com/information-technology/2023/05/fearmongering-over-public-charging-stations-needs-to-stop-heres-why/
Juicejacking is an attack in which a malicious person manipulates the charging ports for smartphones and PCs installed in stations and cafes, etc., and hacks the device via the cable that connects the device and the port. method.
In general, USB and Lightning terminals have a charging terminal and a data communication terminal, and when connected to a charging port, only the charging terminal is used. However, if a malicious attacker uses a specially crafted charging station or cable, not only the charging terminal but also the data communication terminal will be used, and there is a risk that malware will be sent to the device. .
``Do not use free public smartphone charging stations,'' FBI warns-GIGAZINE
Many people have used public charging stations when their devices ran out of charge, so the warning that ``there is a possibility of hacking via charging stations'' does not mean that ``you may also be the target of an attack. ' raised the concern of many.
But while government agencies like the FBI and FCC warn about juicejacking, many cybersecurity experts don't warn people about the dangers of juicejacking. The reason for this is that so far no hacking attacks using juice jacking have been officially reported, and it is very difficult for hackers to execute juice jacking.
Security researcher Mike Grover, who designs his own offensive hacking tools, said, 'Roughly speaking, if no one can point to real-life examples of what's happening in public, it's against the public. It's not worth highlighting, 'he points out that juice jacking is a viable technique only in very limited circumstances. On top of that, Grover argued that power quality and connector breakage are more important risks to consider for public charging stations.
Juicejacking is an attack concept proposed in 2011 , and in the years since, security researchers have successfully demonstrated juicejacking, highlighting that juicejacking is a concern that should be taken seriously. I made it However, the developers of the OS did not keep their hands up, and as a result of continuously strengthening the security of the OS, juice jacking has become an almost impossible method in the latest OS.
Goodin said, 'In the last five years, no one has demonstrated viable juicejacking against a device running the latest version of iOS or Android. We weren't aware that it was left unchecked (a Google representative didn't respond to comment), and none of the security experts were aware of such an attack. As we did, there is no record of juice-jacking actually occurring.'
Of course, just because there is no actual record does not mean that juice jacking is impossible. We sell devices that perform operations such as However, this device is very expensive, it takes a long time to attack, and it is necessary to exploit a zero-day vulnerability that has not yet been patched.
In general, zero-day vulnerability information is very expensive, and important zero-day vulnerabilities such as stealing smartphone data via cable require a reward of more than $ 1 million (about 137 million yen) to obtain. That's right. For hackers, it doesn't make sense to spend this much money to target ordinary people who happen to charge their smartphones at the airport, and it is likely that they will hack specific high-priority targets. .
In addition, products such as 'O.MG Cable', which is a hacking tool disguised as a USB cable, are also on sale, but these hacking tools need to be adjusted according to the target device, so they can target an unspecified number of people. It is said that it is not suitable for opportunistic attacks.
The appearance is a USB cable, the content is a hacking tool abuse prohibited cable 'O.MG Cable' followed by Lightning, and the USB Type-C version etc. are also on sale - GIGAZINE
Goodin recommends carrying a power bank and cables with you when you go out, but if you forget your battery at home, you can use a public charging station, which is theoretically possible, like juice-jacking. He argues that there is no need to worry about risks that are almost impossible in reality. “The problem with warnings issued by the FCC and FBI is that they distract attention from larger security threats, such as weak passwords or not installing security updates. There is a danger of giving up on ensuring safety.'
Related Posts:
