A new threat has caught the attention of the cybersecurity community in Los Angeles, California. According to the district attorney office, some public USB charging points contain dangerous malware that could infect users’ devices.
The alert, published directly by the Prosecutor’s Office, refers to reports on a technique known as “juice-jacking”, in which a threat actor loads USB cables and public charging stations with malware. Afterwards, they just have to wait for some unsuspecting user to connect their smartphone or tablet to extract data and passwords.
Although researchers and cybersecurity experts
have previously shown that this attack is in fact possible, the prosecutor’s
office mentions that it has no record of actual juice-jacking cases, although
they note that there have been attacks on the East Coast. When questioned about
the reasons for launching this security alert even though there are no known
cases, a Los Angeles County spokeswoman mentioned that this is an awareness
campaign against electronic fraud.
However, not everyone shares the same position
as the prosecutor’s office. Security specialist Kevin Beaumont, via Twitter,
stated that he has not encountered “a single piece of evidence of this
attack in the wild.” The expert adds that, although various proofs of
concept have been developed, no similar case has come out of computer security
laboratories.
On the other hand, several members of the
cybersecurity community emphasize that while such an attack is possible, it is
a ridiculously complex and inefficient approach, as there are much simpler ways
to compromise information on a mobile device. In addition, most recent
smartphones have security measures in place to prevent such attacks, so a
juice-jacking attack in the wild would require finding a way too powerful
exploit.
Although a technique for extracting data using
only a USB cable or charger is not yet known, specialists from the
International Institute of Cyber Security (IICS) mention that this is possible
in theory, so efforts to develop this attack are not have stopped.
A few months ago, the FBI
issued a security alert about this attack following the release of the
investigation by Samy Kamkar, a specialist who developed an implant designed to
impersonate a USB charger and track security keys.
