Technology Practice Tips: Juice Jacking (Transcript)

This is a transcript of juice jacking, rubber duckies, and mobile device broadcasting, what they are and how they may affect the security of your technological devices.

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about juice jacking, rubber duckies, and mobile device broadcasting.

DW:  You probably thought we were going to talk about technology, and we will get there, but there are some really wonderful terms that come along in the technology world. One of the interesting ones that has come around recently is juice jacking. Do you want to tell them what it is?

PB:  Sure. Juice jacking is really seemingly innocent enough. Charging stations in malls and at various conventions you might go to. There is an opportunity to add some juice to your mobile device.

DW:  When you plug your device in with your USB cable, in most cases, you are plugging in a cable that can also take in data. Juice jacking is the activity where, once you have plugged in and you are starting to get that charge from the charging station, you are also receiving some sort of download of software onto your phone, tablet, or other device that you may not be aware is appearing.

PB:  Right. This is not normally what happens when you plug your device in to charge it at home or at the office, but that cable has capabilities with the pins that are in the part that plugs into your device and you could be downloading something that could compromise all of your client data.

DW:   A well-known security expert named Brian Krebs has talked about this going as far back as 2011, so it has been around, but I think we are seeing more charging stations in public places. That could give you problems if you have not brought along your own power pack and decide to use someone else's.

PB:  And they are often brought to you by a <name friendly organization here>, which is fine and I suppose 99% of the time they might be safe and innocuous. But of course, just because they are branded by someone does not mean that is the organization who is behind it all.

DW:  One of the interesting developments coming out is the new NFC charging, which you will start to see in Starbucks, I think, soon. You put your device down on the countertop and it will actually charge without you having to connect. And that is a nice way to get a charge without risking being juice jacked.

PB:    Right. A lot of people do not invest in a second charging cable. They always just hang onto the one that comes with their phone or their tablet, so they do not often have it handy when they need one. And there are, of course, a few ways to avoid a situation where you need juice jacking, which is basically just having a cable you can plug in somewhere yourself.

DW:  Right. I actually carry a portable battery now, and it will charge my phone or my tablet usually two or three times before I need to recharge the battery itself. Sometimes I will have both the battery and the phone in my pocket and they will be hooked up and charging while I am just walking along. So it is a good way to have juice on the go and not worry about having someone loading software onto your device.

PB:  Right. I have one of those as well, and there are a number of different companies that make them. You can buy them almost anywhere, in any electronics store or stationary store that happens to sell computers and such. They range anywhere from about $20 to about $150, depending on how much power you want in that battery. You charge them up and they are good for anywhere from two charges to ten charges without having to recharge the battery itself.

DW:  Right. If you get a tablet, or if you have a tablet you are going to charge, you are going to want one of those higher-end ones, but for a phone the inexpensive ones are plenty.

PB:  Right. Let's talk about rubber duckies.

DW:  Yes. We won't sing the "Ernie and Bert" song about rubber duckies in bathtubs. Rubber duckies are a little USB device that you can buy on hacker websites - and I am not suggesting that you would buy it - but particularly, a hacker might and then bring it into your office. It plugs into your laptop and acts as if it is a keyboard. So your laptop will say, "Oh, I've got a keyboard" and it will try to load a keyboard driver so that it can be used like your normal plug-in keyboard.

PB:  Right, so you can actually turn on the security in your laptop and other devices that take a USB port to prevent things, but the reason the rubber ducky is able to get into your system is because it emulates a keyboard and most devices are set up to accept keyboards no matter what.

DW:  Right, because you do not want to plug in USB hard drives or other flash drives that you do not know what is on them. It is a good way to be able to block those sorts of things, but the rubber ducky has been able to get by because it does emulate what is normally a piece of dumb software. And when you plug it in, it is not a piece of dumb software and a keyboard, it actually has a payload that it then loads into your computer, and your computer is infected with whatever software it is.

PB:  Right. Someone would need physical access to your computer to use a rubber ducky. And when you are talking about a payload, it could be ransomware; a Trojan that leaves your computer open so that someone is able to copy your passwords; a keystroke logger so that they are able to see everything you type on your keyboard. It could be anything.

DW:  Yes, it is real "Girl with the Dragon Tattoo" sort of stuff.

PB:  Right, and it takes all of about ten seconds to access your computer. For instance, if you were at a location like a Starbucks or a Tim's using their free WiFi and had to go off to the bathroom, someone could plug one of these in for ten seconds and then unplug it and walk out of the store, and you would never know the difference.

DW:  Right, and it would start broadcasting or doing whatever it is going to do.

PB:  Speaking of broadcasting, let's talk about mobile device broadcasting.

DW:  I love mobile device broadcasting mostly when other people do it because it usually means I can see stuff that they did not anticipate that they were sharing. This is particularly true with Windows devices. Laptops, but even desktops in a corporation - if they have Windows sharing turned on, you may find you are sharing music, photos, and other information that is on your computer that you did not intend to.

PB:  And not just Windows devices because I have had my sharing settings on my Mac changed, but at various times that I have been working away in the library or somewhere like that, and not only can I see what is on other people's computers, I can actually play music on my computer from their computer.

DW:  So they had good taste.

PB:  So they had good taste. You can actually download things from other people's computers if they have sharing, and you can do this via Bluetooth or through WiFi even if you are not necessarily connected, but you are both on the same network.

DW:  A basic rule then is to make sure that when you are out and about and you have your device - and you are not actually using the Bluetooth or the WiFi - turn it off. That is usually a pretty simple command or a simple button to press on your device. Although, I was updating my own Android over the weekend and I was surprised to see an option in the advanced settings that said that you can have apps continue to scan for WiFi, even when your WiFi is turned off. So you really need to know what your operating system is doing. If it is scanning for WiFi connections without you knowing it, you may want to figure out how to block those or turn off that feature.

PB:  Right, and another thing about mobile broadcasting: it is a good way for people to see where you have connected to previously. So while your mobile device is casting about looking for a network to connect to, it is also showing what other networks it has been connected to.

DW:  Right.

PB:   And someone might get information about your home network from that broadcasting that you did not intend to broadcast.

DW:  Yes. It can really be an eye-opener when you see all the different information that is stored. You can see that even by going into your phone, tablet or laptop and look at all the networks that you have connected to, which you may not have connected to in months, are still listed there.

PB:  Right. So that is our look at juice jacking, rubber duckies, and mobile device broadcasting. Thanks, David.

DW:  Thanks.