Maya, a senior Key Account Manager at a IT Company, was considered a good asset for the company, she got awarded for her work consecutively for last 2 years and this year was the hattrick year. While most of the colleagues celebrated her, Arjun was obsessed with her and would always compare her growth v/s his. His obsession lead him to stalking Maya, which was known to many including Maya, but she ignored. Well some events are uncalled-for, Arjun followed her after work to a restaurant, where she was to meet a set of friends. The way to the venue included passing through a alley, Maya suspected that someone was following her and turned around to find Arjun right on her face, she slapped him in the spree of the moment. This was a strike on his manhood and he pledged to revenge it.
The next day came up as a happy one for Maya, she was assigned one of the biggest client by portfolio, as a part of her client list. She knew that, this client is her ladder for becoming the lead at her department. As a account manager her first task was to meet and build relationship with key stakeholders at this client, hence she scheduled a meeting and started researching on everything that was needed to be known about this account. Arjun, found this as his opportunity to take revenge. Recently he had read on ‘Juice Jacking’, and found it fit to his plan of taking on Maya by surprise. The first step was to get a customised cable but a exact replica of Maya’s laptop charger. Sourcing was not difficult, given the ease of the internet. Arjun used his coding skills as a software engineer to write a malicious programme specially designed to be loaded on the chip integrated in the cable of the charger. He simply replaced the original cable of Maya’s charger with this cable.
As soon as the machine was started with the charger plugged in, the malware downloaded itself, giving access of all files and folders to Arjun. Maya unaware of this hack, setup the laptop for the presentation which would change her life forever. Arjun’s eyes were glued on her, As soon as she was ready with her setup, Arjun replaced the presentation files with crap including photos, videos and defamatory content for the client. The presentation was a disaster and Maya could not explain this blunder. The repercussions included losing reputation in addition to the loss of job.
Losing charge or power drain out situations are quiet common, most of us have borrowed charging cables from others in such events. Well there is no harm in doing so, but you might definitely want to think twice before using a random cable found or gifted. In 2018, researchers at the Florida Institute for Cyber Research presented at the 27th USENIX symposium on security on multiple vulnerabilities they uncovered, this included utilization of a set of old modem commands which happened to be accessible over the USB stack. With no user intervention their PoC showed they are able to target a phone over USB and unlock or take full control of the device. As ZDNet points out in its coverage of the Juice-Jacking warning, the FBI sent out a nationwide alert about the threat after security researcher Samy Kamkar developed an Ardunio-based implant designed to look like a USB charger to wirelessly sniff the air for leaky key strokes. And just earlier this year, a security researcher developed an iPhone charger cable clone that let a nearby hacker run commands on the vulnerable computer. Recently the District Attorney of Los Angeles issued a warning to the travellers to avoid public USB charging points because they may contain dangerous malware.
It is found that a small chip is implanted in the cable which gives hacker the access to your device. This allows the Hacker to read, write, export or import your data, including your passwords, and even lock up the gadgets, making them unusable. Since this is not wide spread yet, does not mean that it cannot happen to you, the technology has been proved by researchers worldwide. This type of attacks are especially individual targeted as put as in the above incident. One must be aware about the growing vulnerabilities in the tech world to avoid becoming a victim of such Cyber Crimes.
Mitigations:
1. Always buy original chargers or cables.
2. Carry your own chargers, when on travel.
3. Setup your device to require a PIN or Password to allow any upload or download of data.
4. If borrowed, always check if the charger is original, some providers such as Apple, prompt the user if the accessory is not original.
5. Avoid using a USB charging station in public, if the situation is unavoidable then always switch off the device before putting it on charge.
References:
https://www.secjuice.com/history-of-juice-jacking/
https://techcrunch.com/2019/11/15/los-angeles-juice-jacking-usb/
Please read the report by Trustwave on Juice Jacking for technical view on the subject:
https://cdn.shopify.com/s/files/1/0177/9886/files/juicejacking-defcon.pdf
Image Source:
https://www.needpix.com/photo/20784/battery-charger-sign-symbol-icon
#JuiceJacking #CyberCrime #CopyAccessory #CyberSecurity #AddreyPost
Copyright © 2019 Addrey Consultancy. All rights reserved.