Be warned before you head for the airport.
Jeffrey Greenberg/Universal Images Group via Getty Images
Republished on July 31 with new guidance for Android and iPhone owners on the specific vulnerabilities for their devices following TSA’s warning.
It’s holiday season. And as millions of travelers prepare to jet off from airports across the U.S. and beyond, the Transportation Security Administration’s recent phone charger warning for airline passengers has suddenly been given some added urgency.
The security agency has told airport travelers to “bring your TSA-compliant power brick or battery pack and plug in there,” rather than use public charging points. “When you’re at an airport, do not plug your phone directly into a USB port.”
This relates to so-called juice jacking, which along with the overhyped threat from public WiFi is guaranteed to irk cybersecurity professionals. But just as TSA’s airport WiFi warning has been reinforced by the security industry, so it is now with charging.
“Public USB ports should never be treated as safe,” warns NordVPN‘s Adrianus Warmenhoven (via ZDNet), following its new report into the threat from choicejacking. This enhancement on juice jacking can bypass the protections in your smartphone to trick it into accepting a data cable connection when it shouldn’t.
Warmenhoven describes choicejacking as “a dangerous evolution in public charging threats. With a single deceptive prompt, attackers can trick people into enabling data transfer, potentially exposing personal files and other sensitive data.”
Per Hackread, “the rise of choicejacking reinforces what cybersecurity experts have said for years: public USB ports should not be trusted. Even at airports, hotels, or cafés, a compromised charger could be waiting to hijack your device.”
That’s debatable. Most public charging warnings are met with a fair amount of cyber derision. It’s a blunt force attack. You’re only likely to be specifically targeted by a malicious charging point or cable if you’re in a high risk vocation or location.
But what choicejacking has done is shown how a phone can be tricked into thinking a physical connection is one thing — a keyboard for example, while in reality it’s something else. And data can be stolen as a result.
If you consider your risk profile to be high, this should be a consideration. Use your own charger and cable. And bear in mind that when your phone is unlocked while charging, it’s more vulnerable to this attack — if juice jacking attacks really exist, of course.
Meanwhile, Android Authority has issued guidance for Android and iPhone users, setting out the different risks for each platform. Again, subject to that reality check.
Attacks on Android phones “exploit permissions for peripherals,” the website explains, using Android’s Open Accessory Protocol for accessories such as “mice or keyboards. Attackers can then begin hijacking system input through ADB (or Android Debug Bridge), which can simulate user input and change the USB mode to allow data transfer. The attack then proceeds with a series of commands aimed at gaining complete control of the device and gaining key access for further control.”
iOS is different. “A rigged USB cable or charger can be used to trigger a connection event for a Bluetooth device. Although it may appear as a regular Bluetooth-based audio accessory to your iPhone, it could act as the machinery to secretly allow data transfer and gain access to specific files and photos. However, it cannot access the entire iOS system as it can on Android.”