Juice-Jacking Revisited

It’s a crazy world out there. I ran (well, by “ran” I mean jogged slowly enough to pass the old ladies on the track) this morning at the YMCA, lifted weights for a little while, and then hit the elliptical for 20 minutes before heading home. My gym’s ellipticals have the Nike+ package where you can store your workouts on your iPhone/iPod, and without thinking I jacked in. Approximately 38 ms later (my internal meter is not calibrated)  I facepalmed and disconnected my iPhone in shame. Have I learned nothing?

Turns out, after closer inspection, the cable was a standard cable plugged into a standard elliptical trainer, but I didn’t inspect it initially. I just trusted that everything was as it should be. Josh wrote about this trust back in December. This offense, of course, would be fine if it was my iPod, which holds nothing of value on it. But my iPhone? Well, it has quite a bit more I’d rather not share with Mr. or Mrs. Hacker. So what am I worried about?

Juice-Jacking is another physical security attack vector. With smartphones battery charging capabilites tied also to the data access port, any maliciously minded individual could stand up a charging booth, offer it up for free, and the lambs would willingly head to the slaughter. As power surges into their batteries, their data surges into the hands of the enemy. Such was the case at DefCon this year, where at least 360 attendees, made acutely aware of connecting in any way to anything within a 2 mile radius of the conference, still powered up. Brian Krebs had a good post-DefCon write-up on Juice-Jacking you should check out. Be careful out there.