iOS and Android juice jacking defenses have been trivial to bypass for years
1 min read
Summary
Researchers have found that recent updates to iOS and Android meant to protect phones from Juice Jacking, a form of attack that steals data or runs malicious code when users plug their phones into specific charging hardware, are ineffective.
The vulnerabilities lie in the fact that both Apple and Google smartphones automatically adopt a “host” position when connected to a charging device, meaning they are configured to allow full access to the phone’s internal resources.
To tackle this, the researchers are encouraging phone manufacturers to enforce “dumb pipe” behaviour on all USB data, which means only allowing the device to act as a charging “peripheral” when connected to a power source.
The team has helped produce a proof-of-concept cracker which ensures data is only transferred one way, from the charging hub to the device, mitigating the threat of Juice Jacking.
