TechStuff Tidbits: I Got Got

something that just magically happens. So what got me? Well, recently in a tech News episode, I talked about how the FBI and the FCC, both official US government agencies, issued new warnings about using public charging ports for your mobile devices, you know, ports in places like hotels and airports and coffee shops, that kind of thing, and that hackers could have potentially compromised those ports so that while it appears that you're charging your phone or your tablet

or whatever, some nefarious criminal, probably wearing a hoodie, sitting in the dark someplace in front of a monochromatic computer monitor that only can show green text, that person is actively hijacking your phone and stealing all of your moneys and stuff. In the parlance of cool security kids. This practice is called juice jacking. That you have jacked the

charging station to spread malicious code. While this warning was recent, there have been multiple incidents of authorities warning people against using the these kinds of charging ports over the years. Back in twenty nineteen, the District Attorney's Office of Los

Angeles County issued a similar advisory. Their warning red quote travelers should avoid using public USB power charging stations in airports, hotels, and other locations because they may contain dangerous malware end quote, and the office went on to suggest that people use AC power outlets and an adapter in order to charge their devices and to avoid the possibility of someone compromising them. And that wasn't the first such warning either. They go

back quite a way. Is because there were demonstrations as far back as around twenty eleven twenty twelve at events like Defcon that showed how a hacker could potentially compromise a device using a malicious charging station. But here's the reason I say that I got got. There are no records of someone falling victim to juice jacking out in

the wild. There are no cases in which hackers have taken over a public charging station, or created a fake charging station that looks like the real thing, and then use that to implant malware on devices in the general public. Such a thing is technically possible, but it's tricky on several levels. For one thing, a hacker would need physical access to the area, and they would also need to

avoid notice while installing a malicious charging station. For stuff that's built into things like tables and seating areas, I'm thinking about like the long line of seats in an airport waiting area, where you typically will have a little station in between every couple of seats or so that's hard to do. If you're in a high traffic environment like an airport, it's tricky to get that access. It's

not impossible with little social engineering. You might pose as like an IT maintenance person and you're there to repair or to upgrade a system, and maybe after a brief conversation, no one gives you much thought and you can go about doing it. So it's not like it's impossible. You could do it with a bit of effort. But that's the first barrier, and there are other challenges as well. Malware can spread via USB. That is true, like you could connect two devices via USB and send malware from

one to the other. However, malware is not magically universal. It's not like a skeleton key that works on every device. This is one of those things that really gums up the plot to Independence Day. Right Like in the movie Independence Day, you have Jeff Goldbloom creating malware on a Mac of all things, and then using that malware to transfer over to the alien's computer systems to bring down

the alien defenses. Well, without knowing how the alien computer systems work, and to build your own system that works exactly that way, you can't do this. You cannot create malware that just magically works to whatever hardware and operating

system environment it encounters. Malware is not that adaptable. Of course, you could argue, and I have heard this argument that Mac computers are not actually the outpouring of work from Apple, but in fact trace their lineage back to the crashed Roswell alien ship, and that all computer systems were really just built on alien technology. But then, how did you figure out how the alien technology worked in the first place.

We're going down a rabbit hole. I don't need to the point being that malware does not magically adapt to its environment. It needs to be designed for that environment. So for malware to work, a hacker has to design it for a particular operating system, and malicious code that works on Windows machines generally won't work on say, Android devices or iOS devices, So creating the back end that is responsible for injecting malware into the targets is also

hard to do. Your average hacker isn't going to have access to the tools to build something that is effective against multiple platforms. Such things do exist, but they are expensive to develop and to deploy. We're talking like stuff that state backed hackers are getting paid tens of thousands or hundreds of thousands of dollars in order to develop and deploy. Your average hacker just doesn't have access to

this kind of stuff. Now, maybe the hackers really just thinking, oh, most folks have an Android device, so I'm just going to build something for that, and I'm not going to worry about the IOA users. Or maybe they're thinking, my preferred targets are iPhone users because they're known to use their devices to do things like make purchases more frequently, and they might target iOS devices and not worry about the Android users, and so in other words, they're just

narrowing their pool of targets from the get go. That's possible, but it gets more granular even than that, because a lot of attacks aren't just operating systems specific. They are hardware specific. For attacks that are really good at infiltrating and converting target devices into hacker devices. So let's say you have a Pixel phone and the person next to you has a Samsung Galaxy phone, and you both charge

it into one of these compromised charging stations. Well, the malware might work on them, but not on you, because the malware needs to exploit specific quirks of the Galaxy phone the hardware itself that the Pixel just doesn't have. The can be really impressive in this case. There are examples of security experts who have created devices that can turn a particular model of phone into a hacker's plaything

in just seconds, but only under those specific parameters. It's not like if you plugged it into a different phone it would still work. No, it only works in that one device, compromising or creating a public charging station in the hopes that someone with that specific model of phone plugs into that specific charging station. That's the sort of gamble that's just not likely to pay off. But there's

even more technical challenges we need to talk about. Modern smartphone operating systems will alert users to a requested file transfer when you connect it to another device like a computer, and users then have to acknowledge and allow that file transfer to actually happen. So if you were to plug your device into one of these hacker controlled charging stations and their intent was to inject malware on your device, well, your phone would essentially say, hey, bud, listen that thing

what you got me plugged into? It wants to send a file your way? You cool? And you just choose Nah, bra I ain't cool, and then boom, no malware gets pushed to your device. Now could hackers figure out a way to bypass this, Well, technically yes, there could be a zero day vulnerability that no one but the hackers

know about. There are tools in the cybersecurity field that do this sort of thing, but they typically require an extended contact with the device, as ours technicup points out the security tool gray Shift, which is designed to access lock devices in order to pull data. It's the kind of thing that law enforcement agencies would end up purchasing and using. This tool can require up to three days with a device in order to actually be able to

pull data from it. So unless you're posted up to this charging station for several days in a row, you're not likely to have that problem. Now, I will say that this does add more complexity to the operation. It's also really expensive. The gray Shift tool costs around thirty grand to use, plus security updates from companies like Google or Apple can shut down the methodology that gray Shift uses to pull data in the first place, which means

it's back to the drawing board. This will only work as long as the vulnerability exists, and if the vulnerability is patched well, then that door is shut. Right. So, as operations get more complex and expensive, the likelihood of encountering them begins to approach zero. Okay, we're on the precipice, so we're going to take a quick break. When we come back, I will talk about why I say I

got got okay. Before the break, I said that as the complexity and expense of an operation increases, the likelihood that you're going to encounter it approaches zero. As it turns out, zero is where we end up. At least that's where we are when it comes to hijacked recharging stations that are in the public there is a total lack of documented cases in which it has happened. Now, this was an article that I used for This is from Ours Technica I mentioned earlier. It was written by

Dan Gooden. He went so far as to really look into this rather than do what I did, which was just repeat an advisory without looking into it further. So Gooden did the right thing. Then I screwed up. And when we look back at that twenty nineteen advisory that was issued in Los Angeles, we see a similar issue. So Gooden's talking about the more recent FBI and FCC joint advisory. But if we look at the Los Angeles one and you just do a quick search on it, well,

it brings up a Snopes page. It has been so long since I've been on Snopes. I used to go to that website all the time. And the Snopes judgment comes down to this being a quote unquote mixture of truth and falsehood. So the Snopes page mentions that tech Crunch had previously reached out to the Los Angeles County's chief prosecutor to ask about any cases involving juice jacking. They said, well, how many instances have you encountered of this practice, and the office said that they hadn't, They

had no documented cases. And so then tech Crunch said, so, what's up with pushing out an advisory for something that you don't even have evidence of happening, And they said, well, it is really part of an awareness building campaign for security. And again this gets back to the fact that it is technically possible to do, and maybe a user would even click through an acknowledgement of a filed transfer thinking it was just another step toward charging, and thus allow

their phone to be compromised. But the fact remains there still are no documented cases of juice jacking out there, And when you think about the difficulty of the task and the small number of successful hits that you're likely to get as a hacker, you start to see why it's not really a thing. It could be a thing, but so far it's not. And let's take it from the hacker point of view. Let's say that your goal is to infect as many devices as possible for whatever reason.

Maybe you're trying to get your malware to a specific target, but you don't have access to that target, so instead, you're thinking, well, I'll just infect as many devices as I can so that someone somewhere possibly passes this malware to my actual target. It's kind of a long shot, sort of a long play strategy, but it's also something that we have seen in the past, particularly with state backed malware attacks. Stucksnet was technically this kind of approach,

although it was through secondary targets. We assume it was the United States and Israel targeting some specific companies that were supplying software to the Iranian nuclear power program, and that because they could not access the nuclear program itself, US and Israel we assume targeted the suppliers for that nuclear power program. That's all. They got the malware to the targeted destination. So that is something that does happen.

But more likely the hacker's motive is just to infect devices in order to harvest data or perhaps get access to stuff like bank account information and that kind of thing. So how do you go about doing this if you're the hacker, Well, one thing you could do is run a really broad phishing campaign. You're casting a really wide net. This approach requires a little work on the back end, but not a whole bunch it's relatively light work compared to other methods, and it can touch a large number

of people. Like you can't really predict who's going to see it necessarily, but you can target millions if you want, and all the people who encounter the effort, maybe only a few are likely to fall for it, but still, if your attack is seen by tens of millions of people and you get just a couple of percentage points worth of victims out of it, that's still a lot

of victims. Another thing that you could do is you might set up at a public space and either compromise the local public Wi Fi or you create a hot spot of your own and you pose as public WiFi. Now, all the wireless traffic going through your hotspot is yours for the sniffing, and you don't have to tamper with

any physical hardware in the area to do it. I mean, you could if you wanted to try and actually compromise the physical routers and such of the space, But if you wanted to just set up an alternative that looks official, you don't even have to touch any of the infrastructure that's already there. Now, the downside to this approach is that you are very location based, so your pool of targets is much smaller. But the good news is you're likely to have a much higher percentage of hits within

that small pool, so your goal is still met. Both of those methods are lower risk and higher reward than hijacking a public charging station, and you don't have to worry so much about the devices themselves giving you away by alerting the user that something hinky is going on.

So from a return on investment perspective, it makes way more sense to do a different approach than to rely on a physical connection between your malware injection system and target devices, unless, and this is a big exception, we're

talking about targeting a specific person or specific group. So if you're the equivalent of James Bond, and it's your job how to figure out to you know you're going to compromise the phone that's belonging to, say, the ambassador of fre Donia, that's a made up nation in the Marx Brothers movie Duck Soup. Well, maybe you do install

some hardware in an attempt to access that device. Maybe you do create some fake charging stations, you get access to a space that the Ambassador of Fredonia is going to be in and you put in these compromising devices

in that space. So if we're talking about a potentially high value target like a politician or the CEO of a prominent company, or maybe really high profile journalists or something like that, well then they might encounter something that is similar to a fake charging station, but most of us won't because the trouble of making it and to keep it up to date as devices get security updates is just way too much work for way too little reward.

So it sounds like the threat of juice jacking is similar to what we hear every year as Halloween rolls around, or at least I used to hear it that parents need to check every single piece of candy to make sure some malicious person hasn't hidden poison or razor blades

in there. Now, in the case of poison, there's no documented evidence of that ever happening, but there have actually been a few cases of people putting pins or other sharp objects into stuff like apples at Halloween, though it often ends up turning out that it was a kid doing it purposefully to drum up drama. So in other words, the awareness campaign becomes a self fulfilling prophecy that convinces people to do the thing that the warning is about.

So end result here, The type of attack mentioned in the FBI and FCC warnings is technically possible, but it's not practical. Not a wide deployment, and not as a way to create a wide spectrum attack that's going to hit a lot of targets. It's technically difficult to pull off. It requires access to infrastructure that isn't necessarily easy to get. As security patches go out, the methods become ineffective. It's

expensive to develop and deploy. So is it possible someone could do this and that people could fall a victim to it? Yeah, but so impractical that it's extremely unlikely to happen. There are lots of other security threats that are far more pressing, so it's kind of weird that we even get these warnings. I'm actually not sure what's driving the push for that unless there is some top secret, highly classified document containing countless cases of juice jacking that

for some reason are not allowed to be acknowledged. That's the only way I could figure that this is a real problem. It doesn't look like it actually is, so my apologies for being part of this machine of spreading a message that really isn't that important. I should have checked further into it. I could give you all excuses, like how I'm the only person writing and researching this show,

but that's kind of lane. So instead, I'll just remind you critical thinking is important, even when I forget to do it myself. That's all. I hope you're all well, and I'll talk to you again really soon. Tech Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.