I think juice jacking is one of those things that's about a lack of real engagement about risk. Yes it's all very 007 to plant a dodgy usb charger, but it doesn't really reflect the real threat profile in the world. If you're just an average guy the biggest risk to you of someone stealing your phone and accessing your data is having your phone out as you walk through a city and someone will just snatch it out of your hands. If you're a head of state you should be more worried about someone like the NSO group and you should be operating a whole host of security practices. And as well as all this remember - the way Stuxnet was delivered wasn't some subtley planted infected phone charger, they had a mole on the inside who inserted the infected USB stick in the full knowledge that what they were doing was breaching security.
What about placing public, malicious chargers at the cafe across the street from the busy office building owned by a company whose data you'd really like to steal? It's sort of like the old tactic of dropping interesting-looking USB drives/CDs in the same kind of area, hoping that someone will be dumb/curious enough to plug it in.
If, as a company, you’re expecting all your employees to be opsec experts you either have 1 employee or you are planning to fail. This is like that bullshit fake “phishing” email corporate IT departments send out as a test. The only thing it proves is your attack surface is too large.
I thought they used the Russian consultants as a vector by infecting their laptops before they went inside the airgapped system? I was under the impression that this was the reason Stuxnet spread so far and wide, because it had to spread organically to the Russians' devices. Time for a Wikipedia rabbit hole, I guess.
"This is, by the way, exactly how these things are supposed to work: Someone points out a vulnerability in technology and its manufacturers or developers figure out a way to fix it."
Uh.. no. It should be designed with security in mind which is obviously wasn't.
I mean… in hindsight, you could say that about almost everything, as soon as some way is found to exploit it.
I hope you don’t disagree with the idea of that once a vulnerability is disclosed, the manufacturers/developers should fix it, and that’s a good model for this fallen, insecure world of ours. Of course, the best model would be to have no security holes at all. But everyone knows how realistic that is…
> Most phone manufacturers have since added a prompt asking the user if they’ll allow data to be exchanged.
And doing it badly. I am sometimes using external keyboard connected via a charging hub. The Android phone happily accepts keyboard input regardless of "charge only" setting.
I think by "data transfer" they mean photos/file transfer, or itunes backup/sync on ios. If you want to really get nitpicky about it, usb power negotiation counts as "data transfer".
I think it would be pretty hard for an attacker to do damage merely by sending keyboard input, particularly without the user noticing. Not impossible, but also not worth worrying about if you're not POTUS-level.
Phones behave strangely all the time even without being hacked.
Oh right, since i'm not POTUS then nothing really is at stake, merely my online identity and banking stuff and communication with kids' school and such /s
Well… I think that there are some real threats with chargers and usb cables and it’s not urban legend.
Have a look at O.MG and badUSB cables over at https://mg.lol
I agree that it’s not something widespread and we’re not exposed to a real and immediate danger, since these kind of devices are used in targeted attacks, but nevertheless the technology for such things exist.
Charge your power bank from the questionable USB, then charge your phone from the power bank. If your power bank supports pass-through charging you could do that, but some chipsets are actually USB hubs and don’t provide isolation.
Another disingenuous article about security by people who don't understand security.
The risk may be low, but it is extant, and it is avoidable by simply not using suspicious public chargers.
Do otherwise at your own risk. These attacks were already demonstrated years ago. "Waaahh it's just a POC" sounds exactly like a desperate engineer clutching at straws. You are truly, genuinely, desperately naive if you don't think a publicly-available POC for widely-used tech that hasn't been properly addressed isn't being deployed in the real world.
I feel the easiest path around this is to use wireless charging instead of plugging into a multi-use port. As we have seen operationalized USB attacks, I don’t quite buy the premise of the article.
Wireless charging is so wasteful. We all want to save the planet we should not be wireless charging until we get a much higher efficiency setup.
Fast charging also produces a lot of waste heat. Out phones should know our patterns and for example slow charge overnight. Similar to what Apple started doing with the MacBook where it won't charge to 100% if if knows it will be attached to power.
> We all want to save the planet we should not be wireless charging until we get a much higher efficiency setup.
I doubt that those couple of watts per phone will make a dent even if we multiply them by a billion. Wireless charging is 70% efficient in theory, but lets move to 50. So a 17 watthours battery (biggest currently in phones) would waste 17 watthours per charge - equivalent of my any of those - my induction hob, my oven, my electric water heater or my oven working for 30 seconds. Or my gaming PC for that matter.
so 7 billion people, fully charging their phone each day, the phone battery being the biggest one on the market - each year they will waste around 0.17 percent of world electricity production. But since wired charging is also not 100% efficient - if we give it 90% efficiency - this means that we are saving in that case 0.12 percent of world electricity.
I doubt that it will save the planet. The only think it will help is make some people feel righteous with symbolic gestures.
I googled and the first result said a pixel 4 charging from 0 to 100% takes 14 Watt hours by cable and 21 Watt hours by wireless. That’s saving maybe 60 cents of electricity in a year of charging if you run the battery right down every 2 days.
Nothing compared to the spending and pollution of gas to go a distance one could comfortably walk or bike - most vehicle journeys in the US.
Slow charging etc. is nice for laptops, but for phones I wouldn't even bother. If you use your phone for navigation in summer, it's very likely your phone's battery will degrade rapidly anyway due to the heat.
Readit News
It's about application and context.
Uh.. no. It should be designed with security in mind which is obviously wasn't.
I hope you don’t disagree with the idea of that once a vulnerability is disclosed, the manufacturers/developers should fix it, and that’s a good model for this fallen, insecure world of ours. Of course, the best model would be to have no security holes at all. But everyone knows how realistic that is…
And doing it badly. I am sometimes using external keyboard connected via a charging hub. The Android phone happily accepts keyboard input regardless of "charge only" setting.
Oh right, since i'm not POTUS then nothing really is at stake, merely my online identity and banking stuff and communication with kids' school and such /s
I agree that it’s not something widespread and we’re not exposed to a real and immediate danger, since these kind of devices are used in targeted attacks, but nevertheless the technology for such things exist.
As a bonus, no surprise compatibility issues with fast charging or anything.
The risk may be low, but it is extant, and it is avoidable by simply not using suspicious public chargers.
Do otherwise at your own risk. These attacks were already demonstrated years ago. "Waaahh it's just a POC" sounds exactly like a desperate engineer clutching at straws. You are truly, genuinely, desperately naive if you don't think a publicly-available POC for widely-used tech that hasn't been properly addressed isn't being deployed in the real world.
Fast charging also produces a lot of waste heat. Out phones should know our patterns and for example slow charge overnight. Similar to what Apple started doing with the MacBook where it won't charge to 100% if if knows it will be attached to power.
I doubt that those couple of watts per phone will make a dent even if we multiply them by a billion. Wireless charging is 70% efficient in theory, but lets move to 50. So a 17 watthours battery (biggest currently in phones) would waste 17 watthours per charge - equivalent of my any of those - my induction hob, my oven, my electric water heater or my oven working for 30 seconds. Or my gaming PC for that matter.
so 7 billion people, fully charging their phone each day, the phone battery being the biggest one on the market - each year they will waste around 0.17 percent of world electricity production. But since wired charging is also not 100% efficient - if we give it 90% efficiency - this means that we are saving in that case 0.12 percent of world electricity.
I doubt that it will save the planet. The only think it will help is make some people feel righteous with symbolic gestures.
Legit question about this, I couldn't find any references.
Does fast charging produce more waste heat than regular charging per mAh charged?
I couldn't find information on this.
It's quite obvious that fast charging makes your device hotter, but this could be just because the heat has less time to dissipate.
Just how wasteful is it? 70-80% vs 9X% considering how little power phones use on average is insignificant…
You’d save what? 1-2 kWh per year at the very most? Totally irrelevant..
Nothing compared to the spending and pollution of gas to go a distance one could comfortably walk or bike - most vehicle journeys in the US.