Juice Jacking 101

•Download as ODP, PDF•

0 likes•6,374 views

Juice Jacking 101 covers the hisotry behind why and what we learned from building malicious cell phone charging kiosks (and then setting them up at various hacker conferences)

Technology

The Build
Hardware
● EeePC
● Box
● Lots of USB cables
Software
● Linux (liveCD)
● USButils package
● Custom shell code

The Deployment @ Defcon
Largest Hacker Conference.
Attendees treat it a lot like the wild west.
– This means the kiosk will now become a target.

The Media
● Krebs on Security
● TG Daily

The Media
● Krebs on Security
● TG Daily
● CNET -- “the 404”

The Media
● Krebs on Security
● TG Daily
● CNET -- “the 404”
● MSNBC -- Technolog

The Media
● Krebs on Security
● TG Daily
● CNET -- “the 404”
● MSNBC -- Technolog
● PC world

Don't get jacked.
● USB cable neutering (removing data pin)

Don't get jacked.
● USB cable neutering (removing data pin)
● Powering off the device

Don't get jacked.
● USB cable neutering (removing data pin)
● Powering off the device
● Confirmation required for mounting/debug
access

Don't get jacked.
● USB cable neutering (removing data pin)
● Powering off the device
● Confirmation required for mounting/debug
access
● Bring a backup battery!

My 0.02
● For business it's a matter of policy.
● For users it's a matter of not forgetting.
● Remember your charger or backup power
source/battery.
● The iPhone is a serious concern.

Devices
Android
Majority of roms ship with the “ask before mounting” option.
– This differs from rom to rom (check your device.)
OS designed with strict security permissions on applications and filesystem.
Battery accessible, you can bring another battery or replace the stock battery.
Unique risks:
– Android debugger
– Rooted phones

Devices
iPhone
● Design for usability first
● Auto-sync
● No confirmation to mount
● No battery replacements
● Proprietary connector
● Strict after-market control

Juice Jacking 201
Advanced Topics
mmHrmm scruffy says there is more here.

Roll your own kiosk
● Push malware to phones
● Pull data from phones
● Foot traffic monitoring (device ID)
● People tracking (device ID)

Attack Existing Kiosks
● Complicated PIN/Video systems likely means a
CPU is in the box
● USB interface
● Discrete attack (just plugging in your phone!)
● Requires a detailed knowledge of the Kiosk

Beyond the Kiosk
● Forget everything about the Kiosk.
● Transfer the attacks to a Laptop/PC.
● Use infected phones to spread Malware.
● Everyone brings their phones to work, plenty of
those people will 'charge' at their desk.

Summary
● The core threat isn't the kiosk, it is:
– A design that chose usability over security.
– Data transfer and charging happen on the same port.

Summary
● The core threat isn't the kiosk, it is:
– A design that chose usability over security.
– Data transfer and charging happen on the same port.
● The complexity goes beyond the Kiosk.
– Malware infecting PCs/Laptops used to infect phones.
– Phones used to infect PCs/Laptops and Kiosks.

Thank You!
● Wall of Sheep
● Iggy, Riverside and Cedoxx
● Toorcon
● Irvine Underground
Contact Information: Robert Rowley, Robert@RobRowley.com

What's hot

Bank locker system

Rahul Wagh

Phishing ppt

Sanjay Kumar

These slides use concepts from my (Jeff Funk) course entitled analyzing hi-tech opportunities to analyze the increasing economic feasibility of smart homes. Rapid improvements in sensors, integrated circuits, transceivers, displays, mobile phones, and wireless networks are causing the cost to fall and the performance to rise for smart home-related features. It is becoming increasingly inexpensive and easy to control a wide number of appliances with mobile phones and to embed intelligence in many of these appliances. Smart homes will have higher energy efficiencies, better safety, more convenience, and better security than existing homes as the improvements in various technologies make them economically feasible.

Smart Homes: becoming a reality

Jeffrey Funk

Smart home Environment using iot

parvathy s m

Home automation using android mobiles

Durairaja

Mobile jammer

Chandu Pawar

IOT in SMART Cities

Dr. Shivananda Koteshwar

Electronic Toll Collection Global Study

Justin Hamilton

Car remote systems

Cattovic

IOT BASED AIR POLLUTION MONITORING

kantkamal2291

Artificial intelligence of things(AIoT): What is AIoT: AIoT applications

Anusha Aravindan

IoT

Ananth Kumar

Cyber Security Presentation "It Will Never Happen To Me"

Simon Salter

Intelligent Automatic Plant Irrigation System

susheel kumar

SMART Vehicle Secure PPT

Lighthouse Info Systems Pvt Ltd

Automatic water level monitoring and control system using IoT

Danish Mehraj

Mobile Cloning

sorabh2312

Mine workers protection slides

Arya Ls

These problem statements were taken from sector specialists and government officials. There are also some solutions suggestions, which should not stipulate your innovation but rather energize it. "National Hackathon" is a part of "National Mobile Application Awareness Development and Capacity Building Program" by the Information & Communication Division, Ministry of Post, Telecommunication & Information Technology, Bangladesh. Find more at: www.nationalappsbd.com

National Hackathon - Problem Statements

Zaki Haider

Internet of Things for Underground Drainage and manhole Monitoring System for...

Muragesh Kabbinakantimath

What's hot (20)

Bank locker system

Phishing ppt

Smart Homes: becoming a reality

Smart home Environment using iot

Home automation using android mobiles

Mobile jammer

IOT in SMART Cities

Electronic Toll Collection Global Study

Car remote systems

IOT BASED AIR POLLUTION MONITORING

Artificial intelligence of things(AIoT): What is AIoT: AIoT applications

IoT

Cyber Security Presentation "It Will Never Happen To Me"

Intelligent Automatic Plant Irrigation System

SMART Vehicle Secure PPT

Automatic water level monitoring and control system using IoT

Mobile Cloning

Mine workers protection slides

National Hackathon - Problem Statements

Internet of Things for Underground Drainage and manhole Monitoring System for...

Similar to Juice Jacking 101

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2021/10/secure-hardware-architecture-for-embedded-vision-a-presentation-from-neurobinder/ Jonathan Cefalu, CEO and founder of NeuroBinder, presents the “Secure Hardware Architecture for Embedded Vision” tutorial at the May 2021 Embedded Vision Summit. Security is a problem for every IoT system, but due to privacy concerns, security is particularly worrisome for embedded vision systems. In this talk, Cefalu covers how to design your embedded device so that the hardware architecture itself enforces strict guarantees about where visual data is able to flow. In particular, Cefalu explores the idea of a “data diode” that uses hardware to enforce what parts of the system have access to video or images. This provides the highest level of protection against hacking or malware, as even if the device is completely hacked at the root level, the intruder will still be unable to access the visual data.

“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...

Edge AI and Vision Alliance

A tale of the Neo900 project about the obstacles on its way to achieve The Ultimate Private Phone. What are the threats for smartphone user's privacy? How to deal with them? Is it possible to make a phone that will protect us so well that it will let us forget about privacy at all? The talk has been given via videoconference on 2014-11-29 at OpenPhoenux Hard- and Software Workshop 2014 in Garching, Munich. Recording: https://www.youtube.com/watch?v=ahPFCFooBv0&list=PL-s0IumBit8Mofxj0Fn2kH6RB9VtnKS4K

Neo900: Crafting The Private Phone

Sebastian Krzyszkowiak

The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors. Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?

IoThings you don't even need to hack

Slawomir Jasek

Security Issues in Android Custom ROM

Anant Shrivastava

Security Issues in Android Custom Rom

n|u - The Open Security Community

Unlike the previous jailbreakme.com exploits targeting MobileSafari that could be used against an unwitting victim, publicly available jailbreaks require USB tethering. Since iDevices refuse to communicate over USB if they are locked unless they have previously paired with the connecting device these jailbreaks have a lower security impact, and are usually only useful to the phone’s owner. Then it is legitimate to think we are safe. Nevertheless, malicious codes already running on hosting personal computers silently steal confidential information using iTunes services or leverage USB jailbreaks. This talk will discuss about the most interesting Apple services (from the attacker point of view) and describe how they can be exploited in order to retrieve confidential information or to deploy the evasi0n jailbreak. Finally, the author will present the analysis of a Made For Apple (MFI) dock station and its weapownizing in order to allow an automated jailbreak. Audio available here : http://2013.hackitoergosum.org/presentations/Day3-04.Hacking%20apple%20accessories%20to%20pown%20iDevices%20%e2%80%93%20Wake%20up%20Neo!%20Your%20phone%20got%20pwnd%20!%20by%20Mathieu%20GoToHack%20RENARD.mp3 More information about the conference : http://www.hackitoergosum.org

[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...

Hackito Ergo Sum

What is being exposed from IoT Devices

The Security of Things Forum

As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile application for their modern mobile operating systems. Although different banks solve their security concepts in different ways, it is possible to discuss typical situations and problems that inevitably appear while designing mobile banking applications.

SmartDevCon - Katowice - 2013

Petr Dvorak

Introduction to computers

MehulNamdev1

OWASP Cambridge Chapter Meeting 13/12/2016

joebursell

Though the potential of the IoT is vast, adoption can easily be curtailed by security worries. No company wants their products to be a victim of a hack, yet many do not appear to consider security as a primary driver of design decisions. This presentation will look at IoT security and describe what product designers – regardless of platform – need to be aware of if they want to build a secure and successful device. IoT security encompasses requirements that are new for many product designers – such as provisioning, authentication, OTA upgrades and link encryption – and weaknesses in any one could potentially be used to compromise the security of the end product. From physical attacks to analysis of communications channels, there are many possible attack vectors that need to be considered. From hacked routers to refrigerators sending spam email, there have been a lot of scary news stories about Internet of Things (IoT) security, or lack of it. According to the 2014 Hewlett-Packard Internet of Things Research Study, 70% of Internet connected devices they surveyed didn’t even use encrypted network connections. The US Federal Trade Commission (FTC) recently weighed in on the issue too, releasing a report that outlines potential IoT security risks, ranging from unauthorized access and misuse of personal information, to facilitation of attacks on other systems and risks to personal safety.

Hugo Fiennes - Security and the IoT - Electric Imp

Business of Software Conference

Mickey pacsec2016_final

PacSecJP

Current mobile gadgets includes of rich devices (high resolution video camera, microphone, GPS, etc) which enable high quantity communication (Video conference, current location data, etc). Unfortunately, the rich devices make easy to conduct cyber espionage. For example, a high resolution video is used to read the text on a display. A GPS device is used to track the user's location ("Cerberus" and "mSpy" are famous. Japanese application named "karelog" became social issues). These devices are not used in company's office or factory and computer administrators want to prohibit these devices. Unfortunately, the devices are embedded in a mobile gadget and most of them cannot be disenabled by BIOS or EFI. In order to In order to solve this problem, we propose a thin hypervisor called "DeviceDisEnabler (DDE)", which hides some devices from OS. DDE is a lightweight hypervisor and can be inserted to a pre-installed OS. Although the OS uses "IN" instruction to get the device information on PCI and USB (Vendor ID, Device Class, etc), the "IN" instruction is hooked by DDE and the device information is hidden if the devices is prohibited in the company. Unfortunately, not only attackers but also employees want to bypass the DDE because they want to use the devices. In order to protect bypassing the DDE, it encrypts the disk image of the OS. It means the OS cannot be used without the help of DDE. In order to hide the encryption key, the DDE has three types of key managements (A technique gets a key from the Internet with a secure communication. A technique hides the key into a TPM chip and obtains it at a certain state of boot time only. A technique obfuscates the key into the code using Whitebox Cryptography technique). Current implementation is based on BitVisor 1.4 and the target is a mobile gadget which has Intel CPU. I will talk about the requirements for ARM CPU based implementation.

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

CODE BLUE

IoT Session Thomas More

Kevin Van den Abeele

Cc internet of things @ Thomas More

JWORKS powered by Ordina

Fear and Loathing on your Desk: BadUSB, and what you should do about it Presented at Kiwicon 9, 10-11 December 2015, Wellington New Zealand. For over 15 years USB has been the universal computing peripheral interface. In simpler times the host computer and the USB device trusted each other, and so USB implementations historically placed little emphasis on security issues. But what if malicious firmware were loaded into a USB device? How can you protect yourself from BadUSB? This talk will review public implementations of BadUSB, and (the distinct lack of) available defensive techniques. A hardware gadget will then be presented to make most of your problems...disappear.

BadUSB, and what you should do about it

robertfisk

USB-устройства, такие как клавиатуры и мыши, могут быть использованы для взлома персональных компьютеров в качестве потенциального нового класса атак, которые обходят все известные механизмы защиты. Я покажу все типы USB атак и вы увидите эффективность USB атак на практике.

Алексей Мисник - USB устройства для пентеста

HackIT Ukraine

Ryan Wilson - ryanwilson.com - IoT Security

Ryan Wilson

Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.

Ple18 web-security-david-busby

David Busby, CISSP

Mbs f41 a

SelectedPresentations

Similar to Juice Jacking 101 (20)

“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...

Neo900: Crafting The Private Phone

IoThings you don't even need to hack

Security Issues in Android Custom ROM

Security Issues in Android Custom Rom

[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...

What is being exposed from IoT Devices

SmartDevCon - Katowice - 2013

Introduction to computers

OWASP Cambridge Chapter Meeting 13/12/2016

Hugo Fiennes - Security and the IoT - Electric Imp

Mickey pacsec2016_final

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

IoT Session Thomas More

Cc internet of things @ Thomas More

BadUSB, and what you should do about it

Алексей Мисник - USB устройства для пентеста

Ryan Wilson - ryanwilson.com - IoT Security

Ple18 web-security-david-busby

Mbs f41 a

More from Robert Rowley

WordPress Security (know your enemy WordCamp Kyoto)

Robert Rowley

Detecting and Defending Your Privacy Against State-Actor Surveillance

Robert Rowley

Privacy; Past, Present and Future

Robert Rowley

Wordpress Security 101

Robert Rowley

State of Web App Security 2012

Robert Rowley

Nmap Scripting Engine and http-enumeration

Robert Rowley

This isn’t your uncle’s “what’s a WAF” talk, I’ll be covering as many cool tricks and advance topics related to deploying Web Application Firewalls. I will show you how to write custom scripts using lua and mod_security, and give first hand experiences of how I used scripting with a WAF to put the security team at my previous job ahead of the game when dealing with web app attacks. I will be including the source code for these example scripts which can be used to provide automatic incident response, counter-intelligence and more.

Teaching Your WAF New Tricks

Robert Rowley

More from Robert Rowley (7)

WordPress Security (know your enemy WordCamp Kyoto)

Detecting and Defending Your Privacy Against State-Actor Surveillance

Privacy; Past, Present and Future

Wordpress Security 101

State of Web App Security 2012

Nmap Scripting Engine and http-enumeration

Teaching Your WAF New Tricks

Recently uploaded

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Artificial Intelligence Chap.5 : Uncertainty

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Corporate and higher education May webinar.pptx

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Strategies for Landing an Oracle DBA Job as a Fresher

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Axa Assurance Maroc - Insurer Innovation Award 2024

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The value of a flexible API Management solution for O...

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

AWS Community Day CPH - Three problems of Terraform

How to Troubleshoot Apps for the Modern Connected Worker

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Juice Jacking 101

1. Juice Jacking 101 Chicago 2012

2. What is juice jacking?

3. One great drunkpiphany

4. The Build Hardware ● EeePC ● Box ● Lots of USB cables Software ● Linux (liveCD) ● USButils package ● Custom shell code

5. First you hack

6. Put it in a box

7. Put it in a box

10. Yea, it worked

11. The Deployment @ Defcon Largest Hacker Conference. Attendees treat it a lot like the wild west. – This means the kiosk will now become a target.

12. The Media

13. The Media ● Krebs on Security

14. The Media ● Krebs on Security ● TG Daily

15. The Media ● Krebs on Security ● TG Daily ● CNET -- “the 404”

16. The Media ● Krebs on Security ● TG Daily ● CNET -- “the 404” ● MSNBC -- Technolog

17. The Media ● Krebs on Security ● TG Daily ● CNET -- “the 404” ● MSNBC -- Technolog ● PC world

18. Don't get jacked. Ideas? ???

19. Don't get jacked. ● USB cable neutering (removing data pin)

20. Don't get jacked. ● USB cable neutering (removing data pin)

21. Don't get jacked. ● USB cable neutering (removing data pin) ● Powering off the device

22. Don't get jacked. ● USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access

23. Don't get jacked. ● USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access ● Bring a backup battery!

24. Don't get jacked. ● USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access ● Bring a backup battery! ● Bring your own charger; only plug into wall sockets (110v AC).

25. Don't get jacked. ● USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access ● Bring a backup battery! ● Bring your own charger; only plug into wall sockets (110v AC).

26. My 0.02 ● For business it's a matter of policy. ● For users it's a matter of not forgetting. ● Remember your charger or backup power source/battery. ● The iPhone is a serious concern.

27. Devices Android Majority of roms ship with the “ask before mounting” option. – This differs from rom to rom (check your device.) OS designed with strict security permissions on applications and filesystem. Battery accessible, you can bring another battery or replace the stock battery. Unique risks: – Android debugger – Rooted phones

28. Devices iPhone ● Design for usability first ● Auto-sync ● No confirmation to mount ● No battery replacements ● Proprietary connector ● Strict after-market control

29. Juice Jacking 201 Advanced Topics mmHrmm scruffy says there is more here.

30. Roll your own kiosk ● Push malware to phones ● Pull data from phones ● Foot traffic monitoring (device ID) ● People tracking (device ID)

31. Attack Existing Kiosks ● Complicated PIN/Video systems likely means a CPU is in the box ● USB interface ● Discrete attack (just plugging in your phone!) ● Requires a detailed knowledge of the Kiosk

32. Beyond the Kiosk ● Forget everything about the Kiosk. ● Transfer the attacks to a Laptop/PC. ● Use infected phones to spread Malware. ● Everyone brings their phones to work, plenty of those people will 'charge' at their desk.

33. Summary ● The core threat isn't the kiosk, it is: – A design that chose usability over security. – Data transfer and charging happen on the same port.

34. Summary ● The core threat isn't the kiosk, it is: – A design that chose usability over security. – Data transfer and charging happen on the same port. ● The complexity goes beyond the Kiosk. – Malware infecting PCs/Laptops used to infect phones. – Phones used to infect PCs/Laptops and Kiosks.

35. Summary ● The core threat isn't the kiosk, it is: – A design that chose usability over security. – Data transfer and charging happen on the same port. ● The complexity goes beyond the Kiosk. – Malware infecting PCs/Laptops used to infect phones. – Phones used to infect PCs/Laptops and Kiosks. ● It isn't just phone malware. – Monitoring/Tracking people based on USB device ID – Stolen personal information, Blackmail, etc...

36. Thank You! ● Wall of Sheep ● Iggy, Riverside and Cedoxx ● Toorcon ● Irvine Underground Contact Information: Robert Rowley, Robert@RobRowley.com

Editor's Notes

Id4con Drunken idea … really. Design and team came together @ ID4Con. Let's build a fake cell charging kiosk
ID4CON 2011 Put together in the following weeks (July 4 th → Defcon August 7 th )
Both have security concerns
You are right to think “who the hell would plug into this PoS?” we were too...
So ugly, who would plug in to it?
The “other” charge station, and guiding people along “Burn” phones Reality, noone attacked the kiosk, people still trusted it. And preferred it to the pay kiosk that was at the hotel Reactions: From distrusting, to not caring, to changing corporate policy.
Was fun. … maybe a demo of the kiosk.
Was fun. … maybe a demo of the kiosk.
Was fun. … maybe a demo of the kiosk.
Was fun. … maybe a demo of the kiosk.
Was fun. … maybe a demo of the kiosk.
Was fun. … maybe a demo of the kiosk.

Juice Jacking 101

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Juice Jacking 101

Similar to Juice Jacking 101 (20)

More from Robert Rowley

More from Robert Rowley (7)

Recently uploaded

Recently uploaded (20)

Juice Jacking 101

Editor's Notes