Downloaded 48 times
Uploaded byRobert Rowley
Juice Jacking 101
The document discusses the concept of juice jacking, highlighting its implementation at conferences like DEFCON, where charging kiosks can become targets for malware attacks. It emphasizes the inherent security risks in designs prioritizing usability over security, particularly the simultaneous data transfer and charging through the same USB port. The text provides suggestions for users to mitigate risks, such as using backup batteries, unpowered USB cables, and only utilizing wall sockets.
More Related Content
![[CB19] Hardware Wallet Security](https://cdn.slidesharecdn.com/ss_thumbnails/codeblue19securityofhwwalletsfinal-191211070647-thumbnail.jpg?width=640&height=640&fit=bounds)
Juice Jacking 101
- 1.
- 2. What is juicejacking?
- 3.
- 4. The Build Hardware ● EeePC ●Box ● Lots of USB cables Software ● Linux (liveCD) ● USButils package ● Custom shell code
- 5.
- 6. Put it ina box
- 7. Put it ina box
- 10.
- 11. The Deployment @Defcon Largest Hacker Conference. Attendees treat it a lot like the wild west. – This means the kiosk will now become a target.
- 12.
- 13. The Media ● Krebson Security
- 14. The Media ● Krebson Security ● TG Daily
- 15. The Media ● Krebson Security ● TG Daily ● CNET -- “the 404”
- 16. The Media ● Krebson Security ● TG Daily ● CNET -- “the 404” ● MSNBC -- Technolog
- 17. The Media ● Krebson Security ● TG Daily ● CNET -- “the 404” ● MSNBC -- Technolog ● PC world
- 18.
- 19. Don't get jacked. ●USB cable neutering (removing data pin)
- 20. Don't get jacked. ●USB cable neutering (removing data pin)
- 21. Don't get jacked. ●USB cable neutering (removing data pin) ● Powering off the device
- 22. Don't get jacked. ●USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access
- 23. Don't get jacked. ●USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access ● Bring a backup battery!
- 24. Don't get jacked. ●USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access ● Bring a backup battery! ● Bring your own charger; only plug into wall sockets (110v AC).
- 25. Don't get jacked. ●USB cable neutering (removing data pin) ● Powering off the device ● Confirmation required for mounting/debug access ● Bring a backup battery! ● Bring your own charger; only plug into wall sockets (110v AC).
- 26. My 0.02 ● Forbusiness it's a matter of policy. ● For users it's a matter of not forgetting. ● Remember your charger or backup power source/battery. ● The iPhone is a serious concern.
- 27. Devices Android Majority of romsship with the “ask before mounting” option. – This differs from rom to rom (check your device.) OS designed with strict security permissions on applications and filesystem. Battery accessible, you can bring another battery or replace the stock battery. Unique risks: – Android debugger – Rooted phones
- 28. Devices iPhone ● Design forusability first ● Auto-sync ● No confirmation to mount ● No battery replacements ● Proprietary connector ● Strict after-market control
- 29. Juice Jacking 201 AdvancedTopics mmHrmm scruffy says there is more here.
- 30. Roll your ownkiosk ● Push malware to phones ● Pull data from phones ● Foot traffic monitoring (device ID) ● People tracking (device ID)
- 31. Attack Existing Kiosks ●Complicated PIN/Video systems likely means a CPU is in the box ● USB interface ● Discrete attack (just plugging in your phone!) ● Requires a detailed knowledge of the Kiosk
- 32. Beyond the Kiosk ●Forget everything about the Kiosk. ● Transfer the attacks to a Laptop/PC. ● Use infected phones to spread Malware. ● Everyone brings their phones to work, plenty of those people will 'charge' at their desk.
- 33. Summary ● The corethreat isn't the kiosk, it is: – A design that chose usability over security. – Data transfer and charging happen on the same port.
- 34. Summary ● The corethreat isn't the kiosk, it is: – A design that chose usability over security. – Data transfer and charging happen on the same port. ● The complexity goes beyond the Kiosk. – Malware infecting PCs/Laptops used to infect phones. – Phones used to infect PCs/Laptops and Kiosks.
- 35. Summary ● The corethreat isn't the kiosk, it is: – A design that chose usability over security. – Data transfer and charging happen on the same port. ● The complexity goes beyond the Kiosk. – Malware infecting PCs/Laptops used to infect phones. – Phones used to infect PCs/Laptops and Kiosks. ● It isn't just phone malware. – Monitoring/Tracking people based on USB device ID – Stolen personal information, Blackmail, etc...
- 36. Thank You! ● Wallof Sheep ● Iggy, Riverside and Cedoxx ● Toorcon ● Irvine Underground Contact Information: Robert Rowley, Robert@RobRowley.com
Editor's Notes
- #3 Id4con Drunken idea … really. Design and team came together @ ID4Con. Let's build a fake cell charging kiosk
- #4 ID4CON 2011 Put together in the following weeks (July 4 th → Defcon August 7 th )
- #5 Both have security concerns
- #8 You are right to think “who the hell would plug into this PoS?” we were too...
- #10 So ugly, who would plug in to it?
- #12 The “other” charge station, and guiding people along “Burn” phones Reality, noone attacked the kiosk, people still trusted it. And preferred it to the pay kiosk that was at the hotel Reactions: From distrusting, to not caring, to changing corporate policy.
- #13 Was fun. … maybe a demo of the kiosk.
- #14 Was fun. … maybe a demo of the kiosk.
- #15 Was fun. … maybe a demo of the kiosk.
- #16 Was fun. … maybe a demo of the kiosk.
- #17 Was fun. … maybe a demo of the kiosk.
- #18 Was fun. … maybe a demo of the kiosk.