Ever since I learned about the threat of “juice-jacking” — the possibility that plugging your mobile device into a random power charging station using a USB cord could jeopardize the data on that device — I’ve been more mindful about bringing a proper power-outlet charging adapter on my travels. But in the few cases when I forgot or misplaced the adapter, I’ve found myself falling back on one of two devices I’ll review today that are both designed to block USB charging cords from transmitting data.
Juice-jacking as a threat probably first crept into the collective paranoia of gadget geeks in the summer of 2011, after I wrote a story about two researchers at the DefCon hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the fact that many mobile devices (particularly Apple devices) are set up to connect to a computer and immediately sync data.
Their proof-of-concept was a reminder that in the (admittedly unlikely) event that a clever attacker managed to hide a small computer inside of a USB charging kiosk, he might be able to slurp up your device’s data.
Since that story, several products have sprung up to help minimize such threats. These small USB pass-through devices are designed to allow charging yet block any data transfer capability. The two products I’ve been using over the past few months include the “USB Condom” and a device called the “Juice-Jack Defender.”
Both prophylactics (cue the crude jokes) function the same way — with male and female USB adapters at either end — but the two have a slightly different form factor and feel. True to its name, the USB Condom is a rectangular black circuit board wrapped in a clear plastic sheath, measuring approximately 54 millimeters/2 inches long and 20 mm/.75 inches wide.
The Juice-Jack Defender is slightly smaller — about 45 mm long and roughly 16 mm wide — and is wrapped in rubberized black plastic, although the device picture on the Web site of the vendor, chargedefense.com, shows a product coated in blue plastic.
Both perform their meager jobs admirably (without pause or interruption), and so from a functional perspective are indistinguishable. Overall, the Juice-Jack Defender feels much sturdier — as if it would hold up just fine to an inadvertent nudge in an upward or downward direction while charging. I’m not sure I could say the same about the USB Condom, although to be honest I didn’t stress-test either device.
Beyond size and durability, the only difference between the two products may be the price; Charge Defender is only taking pre-orders, and the company hasn’t yet listed a price for the Juice-Jack Defender. The USB Condom retails for $9.99 (with free shipping).
As I noted in my 2011 story, the safest route for charging your device on-the-go is to use the supplied power cord that plugs into a regular electrical outlet (assuming you can find an available outlet). Battery-powered mobile charging devices also work well in a pinch and are available at many airports. If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.
I’ve found myself digging through my backpack for these devices when I’m out and about and bereft of an outlet and the only option is juicing up at a public kiosk (or someone else’s computer!). If nothing else, these little buggers are a great conversation starter; the woman seated beside me on the plane where the above picture was taken had never heard of juice-jacking and was instantly fascinated. Turns out, she ran a small business and had no clue about the risks she faces when banking online with her business checking account (she does now!).
> If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.
Not really applicable nowadays: smartphones and tablets will turn themselves on when you plug them in. Very few devices have a truly passive, charging-only mode nowadays.
My computer doesn’t show my Android phone as a device until it (the phone) is unlocked. Is that sufficient to prevent juice-jacking?
From the looks of it, the USB Condom has charge mode resistors, but I don’t know if the other has them. The USB Condom is set in a way that either allows for 1A or 2A charging, but which I can’t tell which setting they are set to. This is bad for a standard USB port, so I wouldn’t use such a device on anything I own (such is the way these things are).
I may come up with a design of something like this with a little smarts in it. I could easily enough detect the port type at the host port and then give you the maximum safe current settings at the device end. Hm…
The use of a portable external battery pack is also a good defense. These battery extenders plug into the wall or USB and charge up.
You charge the phone from the battery pack after removing the battery from the power source – you can then return the battery pack to any charging source to refill it without the phone ever coming into contact with a suspect power adapter.
As an added bonus these also help when you don’t have a power source – as long as you charged before you left home.
http://nakedsecurity.sophos.com/2010/03/08/bad-bunny-energizer-usb-battery-charger-blamed-backdoor/
The issue with “juice-jacking” or USB-based data theft from mobile phones is identifying what your phone is presenting itself to the USB charger as.
Here, the main risk was iOS-based devices (iPhones, iPads and iPod Touch) running eariier iterations of the operating system. These didn’t provide user-facing identification on the device about whether they were connected to a computer device or simply a power-supply device.
Android users were able to know this state through a prompt on the Notification bar as whether they were connected to a computer device rather than a power device by showing at least a USB “fork” logo when connected to a computer device and describing what it is presenting itself while connecting.
Here, iOS users need to update to the latest iteration of the operating system and pay attention to signals that say that the iOS device is connected to a computer device when plugging in. Android users would also need to pay attention to the aforementioned signals as well.
I wouldn’t think a GUI notification give enough warning. There’d likely be at least a few seconds of connection even if you’re watching closely. A bad guy would get a fair chunk of data in a few seconds, even at USB speeds. (And if miscreants were clever enough to wait 5 minutes after connection before activating the data link…)
Hmm? As of iOS 7, there is a security alert when connecting to a computer. Unless you click “Trust” (the non-default option), that computer cannot access any data on your iOS device.
Juice-jacking hasn’t been a thing for iOS devices since iOS 6 days.
Yes, and I’m sure the entire ecosystem of iOS 6 users has already upgraded, right? I mean, iOS6 is, like, ancient now, right? And nobody puts off applying major updates to their mobile operating systems that long. Oh wait, it was only released to the public in March? Hrmm…..
Brian,
You have a valid point about updating, but Apple HAS greatly limited the impact in the time since your original story by adding this feature to iOS 7.
A couple of points though… iOS 7 was released September 18, 2013 – not in March of this year. The most recent adoption rates I could find indicated that as of late March 2014, over 85% of iOS users were running iOS 7… my guess is that the total adoption rate would be over 90% by now.
To be sure, having 10% of the iOS population at risk of this issue is nothing to sneeze at, but as a developer one of the big benefits of the iOS ecosystem is the widespread and relatively quick adoption of new OS releases that comes along with how Apple operates – in comparison with Android especially.
It also is very helpful from a security standpoint as this issue points out.
At WWDC 2014, Tim Cook announced that 98% of iOS users are running iOS 7.
…and Tim Cook works for who?
The people that’d know?
My 1st gen iPad is stuck at ios5. I personally know someone using an iphone 3G, and nope, no ios7 for that either.
Do you think all the Gen1 iPads and older iphones in the world only add up to 2% of all ios devices? That 98% stat likely only counts the devices that are able to run ios7, but putting that little detail in the presentation wouldn’t make it look as impressive.
I personally know someone using two 3Gs, me. And our household has two older iPads. That’s 100% of our demographic pre-7 :0))
Actually, the “98%” figure was quoted for Fortune 500 company adoption. The figure he said was “almost 9 out of 10” of the installed base is running the latest version, so one can assume between 86 and 89%.
Still pretty good, especially compared to the update lag (enhanced by carrier prohibitions) on other platforms. And it is unclear whether he was referring to their entire installed base, or the installed base that _can_ update to iOS 7. I believe a few months ago an 87% figure was released, which was determined by the percentage of connections to the App Store, which allows them to detect the OS version, so I assume it’s any device including ones that are not able to update, as iOS 5 and 6 certainly have no problems connecting to the App Store. The numbers are a bit fuzzed due to how those devices are being actively used, but considering the sheer number of App Store connections, it’s likely a solid representative sample.
Older devices are less likely to bother connecting to the App Store and may not get caught up in this, but by that token they’re also less likely to be the active device brought out with users on the road to be vulnerable to this kind of attack. My iPad 1 and iPhone 3G may not be able to be updated, but they never leave the house. (And the 3G is rarely ever charged, just sitting in a drawer.)
That tangent being over…
…the important part is still how the device detects and what data can be accessed through the device. iOS 7 does prompt a “Trust This Device?” dialogue box when connecting to a computer, but it does not prompt the same thing when, say, connecting to something that uses its iPod controls. (Say, a car’s internal system.) Is this a component of how the device being connected to chooses to identify itself, or is it a component of iOS 7, where it will only allow certain aspects of the system to be accessed without prompt, but anything else requires explicit permission? (Which, let’s face it, half of the people will just grant without thinking about it if they think all they’re connecting to is a “charging station.”)
A good step up, but more needs to be clarified, and I think way more will still have to be “understood” by the general public in this regard.
Unfortunately I cannot upgrade my iPad (I) or iPod Touch (II) to use iOS7.
Hmmm… remember these are the same people who will connect to an unknown WiFi just to save a few pennies on their data plan, so I’m pretty sure they’ll consider the risks before they click “Trust”.
I wonder how many noobs out there will just simply press Trust.
People have been trained to say Yes if they want to accomplish what they’re doing regardless of the warning.
If people actually paid attention to the warnings, there would be significantly fewer virus infections, toolbars, and adware out there.
There is Umbrella USB project on Kickstarter at $12 (early bid $9 is gone)(https://www.kickstarter.com/projects/sparqee/umbrella-usb), similar to USBCondom on CrowdSupply at $10.
There is also Legion Meter project, which is charge accelerator + USB multimeter + juice jacking protector… but a bit pricy.
Nb. “free USA shipping” is not “free shipping”!
Oh this Sparqee? Yea we know about him already. 😉
https://dl.dropboxusercontent.com/u/2595211/Screen%20Shot%202014-06-03%20at%203.02.07%20PM.png
If you want an Active USB Firewall that would provide the right signatures to enable fast charging check out LockedUSB Adapter http://www.lockedusb.com
Wouldn’t a ‘custom’ charging cable with disconnected data pins/wires work ?
Spot on! And these charger cables aren’t custom either. You can buy them on every airport or Amazon for a few bucks. And various battery blocks come with one.
I trust a charger cable even more than a mystery device. No data wires = no data transmission!
I agree – no data hook up means no data transfer.
When my daughter was traveling on a long plane flight many years ago, I built a little dumb charger like this. A battery, voltage regulator chip, etc. and USB connector with just power pins hooked up.
However, being home made, it could have been perceived as an evil device of some sort so she was reluctant to carry it with her at the airport.
Actually that *doesn’t* work as we found out from our early prototypes. Apple deviated from the USB specification and did something that forces you to be “Apple compliant” USB cables. So USBCondoms works around this.
https://twitter.com/USBCondom/status/428615263693467648
Yeah I was just wondering how long before this thing gets announced to have NSA level spyware embedded on the chip…
USB cables are so cheap that I fail to understand why people are not making these themselves. Just cut the green wire and your good to go.
Actually we were doing this for a long while here at http://www.xipiter.com
But we quickly discovered that it doesn’t work for Apple iOS devices. We also discovered that we were destroying a lot of perfectly good cables. With USBCondom you can metaphorically “cut the wires” in cables and not destroy them. When you’re ready to sync, just take it off. This is why we created it last year.
So don’t support the evil apple empire and its not a problem.
Watch out everyone, it’s a Google shill!
Yeah god forbid I choose a platform that allows me to swap my own storage and batteries for 1/5th the cost and let me remove bloatware, ad-block, and tinker with the open source developer kit for free. Plus I can make my own charging only cable for a buck or less.
Is there a possibility to get those anti-juice-jacking devices in Europe (Germany)? As Jakub wrote: “free shipping” is not “free shipping” 🙂 Maybe there is a company in Europe selling this stuff? Does anyone know?
We’ve shipped hundreds to Europe 😉
It was expensive to get international shipping set up (you have to do shipping manifests and customs declarations) but we’ve been doing it since last year!
I’ve found that the cheapass USB cables (0.99 on ebay) don’t have a data connection anyway. A massive PITA if you *want* to sync your device, but ideal if you want to charge it.
While traveling I am carrying all the time the travel PSU and avoid like hell to use USB outlets, I don’t know if that freaking USB is faulty and provides more than 5v so bye bye mobile. I prefer to connect my travel adapter that I trust. I also have a AA powered PortaPow and its simply lovely solution (AAs can be found everywhere!)
“I don’t know if that freaking USB is faulty and provides more than 5v so bye bye mobile.” Good catch! I would not touch a solution that could result in a fried phone.
There are power-only USB cables, and they are cheap. I have one charging-only cable for Bluetooth mini-keyboard… which I had noticed when I tried to use it to copy photo from the smartphone to the PC.
Seems the volume these would take up in your bag isn’t much less than a 1-inch-cubed AC adapter.
Would be nice if they had a light or some kind of indicator when a hostile charging station is found. (Kind of like how my portable surge protector has a light to identify faulty wiring in the outlet.)
Better yet, a device that goes in-line with the charging cable, and if the “charging” port tries to transfer data, it dumps 24 or 48 volts across the data pins…
All these devices do it connect the +5 volt rail and ground and don’t allow the data pins. You could make these kind of devices yourself, and it’s pretty easy to do.
Ten dollar FUD device in my opinion
iOS 7 and later always prompt you, asking if you want to trust the device you just plugged into, when any potential digital interaction is attempted.
Most of those public charging stations are so dodgy and abused, I wouldn’t plug an ecig into them. One I saw at FLL intl airport was sparking and no doubt frying all the phones, tablets, etc plugged into it.
With the advent of Arduino the potential for the threat described here is real, but probably more likely when connecting to FREE_PUBLIC_WIFI
And you’re trusting the same people who click Yes to “Install Virus” to understand the risks involved with a popup?
Wasn’t the whole point of an idevice to not know what the hell you’re doing and have no risk of screwing yourself up?
But will it actually charge? At a reasonable rate.
There are resistors pulling the data lines to certain voltage to identify that it can do more than 500mA, typically 1A or 2A, the latter especially for tablets.
Most devices display a USB notification when plugged into a computer
But using the protection, does the charge current stay at 2A? They could muck up the high frequency data signals leaving the dc voltage, but is that what they do?
I should also second a battery pack – one charged via USB and provides USB @2A. that would be safe.
I use a device called PortPilot. This was originally a KickStarter project and is now taking pre-orders through the Hak5 shop. http://hakshop.myshopify.com/products/portpilot
Here’s a trick using a piece of paper.
http://www.instructables.com/id/USB-Charge-Cable-Hack/
Neat hack! Unfortunately that wont work for Apple iOS devices though 😉
Great article Brian. I didn’t even know this was a thing.
Since ios7, iPhones have a “Trust/Don’t Trust” prompt whenever you connect USB. If you select “Don’t Trust” is that considered a reasonable defense or has this been overcome by the bad guys?
Apple actually took this threat fairly seriously as well:
On iOS 7, if you try to access the device like a computer, it now has a “trust this computer” dialog that appears even on an unlocked phone.
iOS6 did not, and so was vulnerable.
Or you can pay about $20 and buy a real good external cell phone battery then not worry about juice-jacking
Or a 2nd battery, or just get a bigger one in the first place.
I was JUST telling my people about this a few weeks ago. They didn’t believe it was a threat.
Guess who’s getting a link to this article? Yep, everybody…
NewerTech has had a ‘Sync Switch’ USB extender cable available for at least a year, it’s less than $9 at OWC.
eshop.macsales.com/item/Newer Technology/CBLUSBCS1M/
Cool, Krebs flies in coach!
Back here with us little folk.
I always carry spare chargers and often I share them with folks who can’t find theirs.
But I would never let them charge off my computer! Too afraid of the data going the other way.
There is also http://lockedusb.com/ via http://hackerwarehouse.com/product/lockedusb-usb-charge-cable/
$8 from HakShop for their USB/Lightning Contraceptive: http://hakshop.myshopify.com/products/usb-contraceptive
Also soon they should have the PortPilot out for $59:
http://hakshop.myshopify.com/products/portpilot
Brian,
Thanks very much for the article and kind words. We have tested the Juice Jack Defender on a ton of products. It worked on all mobile devices that use USB charging – even iPads and iPods, which was a bit of an unexpected consequence.
Stephen is exactly right about the cables. Our first attempt was simply to open the circuit for the two inside data lines. It worked great with Android devices, but not with Windows or Apple mobile devices. It took a lot of experimentation and reverse engineering to finally come up with the correct configuration.
We hit some unexpected and frustrating manufacturing issues. But, we are thinking about quickly putting a kit together for folks that want to do it themselves. Would love to know what kind of interest there is for that idea. We could do that pretty quickly if there is enough interest.
Again, very nice article, Brian. Well-researched with excellent insight and conclusions.
My Android phone(s) present an either/or scenario. When you plug into a USB port you can configure the connection as power or data (& probably as a cell hotspot as a third option) but not both.