
Beware of Juice-Jacking - niyazpk
http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/
======
gwillen
There is one easy way to solve this problem that I can think of: Neuter a USB
cable by shorting the data pins on the device end and disconnecting them on
the charger end.

Just be careful not to plug the resulting cable into a computer -- you are
likely to draw more current than permitted by the USB spec, and could
potentially cause an issue.

(I suppose you could potentially cause an issue with a charging kiosk too, if
it's a computer rather than a dumb brick, but it's not really the kiosk I'm
worried about.)

~~~
maxjus
I know that some modern iOS devices actually require a specific voltage across
the data lines to tell the device what wattage charger it's using. In that
situation you would have to add a couple of resistors to the charging cable
between the voltage and data pins, which definitely makes it a lot more
difficult for most people.

You might find the following interesting:
<http://www.ladyada.net/make/mintyboost/icharge.html>

~~~
gwillen
You're right -- as an Android user, I was thinking about the USB 3.0 charging
standard (and the pre-standard behavior which led to it), which Android
devices generally follow.

If you have an iDevice, you have more work to do.

------
jff
Damn, this is actually rather disturbing--my Nexus 4 automatically presents
USB storage when I plug it in, and I can't figure out how to disable it!
Locked or unlocked, you can access my files by simply plugging in the phone.

Edit: Figured it out, it actually only presents storage when plugged in if you
unlock the phone. If you unplug the phone, let it lock, then plug it back in
again, you're ok.

------
Dylan16807
So did this actually test if the phones were vulnerable? I know my phone
doesn't turn on usb mass storage mode without asking; but this article doesn't
even mention other methods.

------
ChuckMcM
Clever hack. It suggests a product, a USB condom, the device has a USB plug
and a USB socket, it connects the power lines but not the data lines. With a
bit a careful surgery on a USB cable you could manually do this. I don't know
if it would then charge though. A surefire way to build it would be to use an
"FTDI cable" [1] and pull the power of to a USB socket.

[1] <https://www.sparkfun.com/products/9718>

~~~
sneak
SO MUCH EASIER: Carry a tiny AC->USB adapter and a USB->mini or USB->dock or
USB->lightning cable. Plug into mains on these charging stations instead of
USB. Done and done.

Added bonus: You can charge when you get to the hotel, too.

~~~
ChuckMcM
I realize you are being funny but what you seem to have missed (or perhaps you
haven't experienced it) are public areas with exactly zero power outlets and
several "charging stations."

Granted airports and what not are slowly coming around but having a 'red'
charging cord which not only worked in your AC charger but could also be
plugged into a random charging station and "do the right thing without putting
you at risk" that would be moderately handy gizmo.

------
CaptainZapp
Wouldn't work on my Nokia N900.

If it's just pure juice coming out of the connector it just loads.

If there's some process that tries to initiate a data connection you get two
buttons, asking:if you want a PC-Suite, or a mass storage connection.

That would look pretty fishy when I just try to juice up my phone.

That said I think he makes a very valid point and my phone is pretty much an
exception nowadays (as, unfortunately are Nokia smart phones in general).

------
error54
If what he says is true, it's ridiculous that phones do this be default. Some
clever hacker could create a virus that would sit dormant until your phone was
plugged into your computer upon which it would steal all of your data. You'd
think phone manufacturers would include some sort of way to disable auto-data
sync as leaving it on is a major security risk given the number of people that
charge via their computers.

------
pixelcort
For newer iOS devices, I was under the impression that if a passcode is set
and the screen is locked, the USB host can't access the contents of the device
until the passcode is entered. However, once the screen is unlocked, iTunes on
the host can obtain tokens to automatically unlock the device later on.

Do newer Android devices also have something similar to this?

~~~
drivebyacct2
Yeah, not sure when, but it's been the case that the MTP/UMS was unavailable
if the lock screen was locked (with a pattern/pin/pw). I'm not sure if that
also applies to adb. (If it doesn't, then the protection is useless since adb
can pull data).

~~~
gwillen
I think the theory is supposed to be that you don't enable adb unless you know
what you're doing.

(As far as I can recall, adb works fine with the screen locked. The fact that
I don't know for sure suggests that I do not, in fact, know what I am
doing...)

------
follower
If you have a multi-connector charge-only cable it's likely that the data
lines aren't connected, so that's an option.

(Unless it's a multi-headed cable like:
<[https://www.sparkfun.com/products/11515>.](https://www.sparkfun.com/products/11515>.))

------
venomsnake
My Desire hd presents itself as a dumb brick by default. Until I explicitly
say it to be something else it just sucks up juice. So maybe a bit more info
like models, brands etc will be good to have.

------
RenierZA
Which phones are unsafe when they are turned off?

------
f055
You can prevent this with a simple and cheap Nokia DC-16 portable charger put
between the charging station and your phone.

