Juice Jacking: Security Issues and USB Technology: Comparison
Please note this is a comparison between Version 4 by Nora Tang and Version 3 by Nora Tang.

For a reliable and convenient system, it is essential to build a secure system that will be protected from outer attacks and also serve the purpose of keeping the inner data safe from intruders. A juice jacking is a popular and spreading cyber-attack that allows intruders to get inside the system through the web and theive potential data from the system. For peripheral communications, Universal Serial Bus (USB) is the most commonly used standard in 5G generation computer systems. USB is not only used for communication, but also to charge gadgets. However, the transferal of data between devices using USB is prone to various security threats. It is necessary to maintain the confidentiality and sensitivity of data on the bus line to maintain integrity. 

  • cyber-attack
  • malicious code
  • USB code
  • security
  • hacker
  • keystroke dynamics
  • authentication

1. Introduction

Juice jacking is a well-known cyber-attack used to attack Universal Serial Bus (USB)-enabled devices such as mobiles, tablets, and laptops. It generally utilizes the charging port of a given device; then, whenever someone connects a given device to the system using this port, the hackers obtain all their personal information or may upload some malware onto the device. Therefore, it is necessary to detect and prevent these kinds of attacks.
Business travelers now have access to public USB power charging stations at airports, hotels, and other places to which they travel or stay [1]. In Android OS and iOS, this attack is more appropriate and the smartphone’s display can be exposed through a standard Micro-USB [2][3] connected using the Mobile High-Definition Link (MHL) standard or the iPhone’s lightning connector.
However, even without the instant injection of malware, a leakage to a rogue kiosk might cause a continual security threat [4]. An address book, images, music, and SMS are just a few of the items that may be accessible once the device is associated with a computer. Both data and power transfer can be accomplished using USB connectors [2][5]. A decade ago, security researchers worked out how to exploit USB connections, which a user might think are solely used to transfer power, to hide and transport secret data payloads, as cellphones grew more prevalent [6][7].
Markus, President of Aries security, and his fellow researchers Joseph Mlodzianowski and Robert Rowley, built the charging kiosk. They made charging stations more attractive with a variety of charging cables. When no device is connected, the charging station displays a blue image with the words “Free cell phone charging kiosk” and whenever any device is connected a red warning sign shows and a message: “Be careful and should not trust public kiosks” [8][9]. The wall of sheep is an event held at Defcon, which has allowed public access to juice jacking kiosks every year since 2011. This can raise awareness among the public [8][10]. In addition, juice jacking can be used by hackers to inject malicious code onto the devices and obtain information on those devices.
Regarding device connectivity, the Internet of Things (IoT) has offered the world a higher level of accessibility, integrity, availability, scalability, secrecy, and interoperability. IoTs, on the other hand, are vulnerable to security threats due to a mixture of various attack surfaces and their newness, resulting in a lack of security standardization and criteria. Attackers can use a wide range of cyberattacks on IoTs, depending on which aspect of the system they are targeting and what they expect to achieve from the attack [11]. As a result, a significant amount of research has been dedicated to building secure IoT devices. Recently, Artificial Intelligence (AI)-enabled approaches have been extensively utilized to implement secure IoT devices and networks. Typically, AI models identify anomalous activity, which helps to predict a given attack. In IoTs, cyber-attackers always have an advantage because they only need to uncover one vulnerability, whereas cybersecurity specialists must secure several targets [12]. Recently, various supervised learning models, such as decision trees, linear regression, machine learning, support vector machines, and neural networks, have been employed in IoT cybersecurity applications to predict threats.

2. Types of Juice Jacking

The major features of juice jacking attacks/malware attacks are discussed as follows:
  • Easy to implement but quite adequate.
  • No need to install any more factors on phones, as the attacker does not require the installation of any additional software.
  • Does not need to ask for permission, as the attacker does not need to ask for permission from the user or install any apps on the phone.
  • Various machine learning and deep learning models are used to predict the malware attacks.
  • Less user conjecture: the user is less aware of charging attacks than malware attacks.
  • Finally, various techniques are also discussed, which can either prevent or avoid juice jacking attacks.
  • Data theft: In data theft, cybercriminals steal all information from the device, i.e., devices connected to charging stations through USB ports. As a result, hackers drop an additional payload to steal the information from the connected device [13].
  • [15].
  • Countermeasures: The best approach to avoid juice jacking attacks is to stay away from portable wall chargers and public charging stations [16]. You should keep an external battery or power bank. Random AC outlets have fewer risks than public USB stations. If there is no solution other than using a public charging station, then adapters are available in the device to block data transfer during charging.
Numerous methods are used to prevent juice jacking. These include ensuring devices are charged, avoiding the use of USB chargers, turning off gadgets while not in use, and purchasing charging-only cables. Phone security features and data blocks can also be used.Certain means and softwares can inform you if your phone is hacked, including battery drainage, poor performance, high data usage, and mysterious pop-ups. USB hardware can be divided into three types: programmable microcontrollers, USB peripherals (maliciously reprogrammed peripherals and non-reprogrammed peripherals), and electrical.

3. Features of Juice Jacking Attacks/Malware

  • Multi-platform: the attack is possible in androids as well as iPhones.
  • Malware installation: Malware is loaded on the linked device and remains there until it is recognized and uninstalled by the user. Cybercriminals use malware such as adware, ransomware, and Trojans
  • [14]

4. Motivation

As juice jacking is a software-based threat, it requires an acknowledgment that the software is fixed on the device and applicable on a limited platform, that is, Android OS and iOS. Therefore, it is better to avoid hardware-based vulnerabilities such as charging attacks by not installing too much software/security on a device. When a device is in charging mode, a juice jacking attack can automatically record the device’s screen and manually extract specific information [17][18]. Since devices such as mobiles, tablets, and notebooks contain confidential and sensitive data; therefore, it is necessary to secure these electronic devices against various attacks such as juice jacking. The main objective of this paper is to analyze juice jacking attacks by considering the maximum possible ways through which a system can be affected using USB. In addition, various techniques will be discussed, which can either be used to prevent or avoid the juice jacking attack.

5. Contributions

Juice jacking is a widespread cyber-attack that allows attackers to hack the given system using USB to steal the system’s data. Thus, USB is no longer a simple mechanism, used to transfer data or charge the devices due to security concerns. The main contributions of this paper are as follows:
  • Juice jacking attack is analyzed with the maximum possible ways through which a system can be affected using USB.
  • Ten different malware attacks are used for experimental purposes.

References

  1. Waters, D.W. USB Port Controller with Automatic Transmit Retries and Receive Acknowledgements. U.S. Patent 9824045B2, 21 November 2017.
  2. Loe, E.L.; Hsiao, H.C.; Kim, T.H.J.; Lee, S.C.; Cheng, S.M. SandUSB: An installation-free sandbox for USB peripherals. In Proceedings of the SandUSB: An Installation-Free Sandbox for USB Peripherals, Reston, VA, USA, 12–14 December 2016; pp. 621–626.
  3. Tran, M.Q.; Elsisi, M.; Mahmoud, K.; Liu, M.K.; Lehtonen, M.; Darwish, M.M. Experimental setup for online fault diagnosis of induction machines via promising IoT and machine learning: Towards industry 4.0 empowerment. IEEE Access 2021, 9, 115429–115441.
  4. Zhang, D. Network Security Middleware Based on USB Key. In Proceedings of the 2008 Fifth IEEE International Symposium on Embedded Computing, Beijing, China, 6–8 October 2008; pp. 77–81.
  5. Elsisi, M.; Tran, M.Q.; Mahmoud, K.; Mansour, D.E.A.; Lehtonen, M.; Darwish, M.M.F. Towards Secured Online Monitoring for Digitalized GIS Against Cyber-Attacks Based on IoT and Machine Learning. IEEE Access 2021, 9, 78415–78427.
  6. Chu, W. Application of data encryption technology in computer network security. J. Phys. 2019, 1237, 022049.
  7. Li, X. Application of data encryption technology in computer network communication security. J. Phys. 2020, 1574, 012034.
  8. Lee, K.; Yeuk, H.; Choi, Y.; Pho, S.; You, I.; Yim, K. Safe Authentication Protocol for Secure USB Memories. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 2010, 1, 46–55.
  9. Tran, M.Q.; Liu, M.K.; Elsisi, M. Effective multi-sensor data fusion for chatter detection in milling process. ISA Trans. 2021.
  10. Kaur, M.; Singh, D.; Kumar, V.; Gupta, B.; Abd El-Latif, A.A. Secure and Energy efficient based E-health Care Framework for Green Internet of Things. IEEE Trans. Green Commun. Netw. 2021, 5, 1223–1231.
  11. Tran, M.Q.; Elsisi, M.; Liu, M.K. Effective feature selection with fuzzy entropy and similarity classifier for chatter vibration diagnosis. Measurement 2021, 184, 109962.
  12. Liao, T.L.; Wan, P.Y.; Chien, P.C.; Liao, Y.C.; Wang, L.K.; Yan, J.J. Design of High-Security USB Flash Drives Based on Chaos Authentication. Electronics 2018, 7, 82.
  13. Kuamr Nanda, P.; Prasad Das, S.; Ranjan Panda, S. and Singh, D. Impact of Structural Aspect, Metal Gate and Channel Material on UTB-SOI-MOSFET. Int. J. Innov. Technol. Explor. Eng. 2019, 9, 1638.
  14. Pham, D.V.; Syed, A.; Mohammad, A.; Halgamuge, M.N. Threat analysis of portable hack tools from USB storage devices and protection solutions. In Proceedings of the 2010 International Conference on Information and Emerging Technologies, Karachi, Pakistan, 14–16 June 2010; pp. 1–5.
  15. Kaur, M.; Kumar, V. Beta chaotic map based image encryption using genetic algorithm. Int. J. Bifurc. Chaos 2018, 28, 1850132.
  16. Jeong, H.; Choi, Y.; Jeon, W.; Yang, F.; Lee, Y.; Kim, S.; Won, D. Vulnerability analysis of secure USB flash drives. In Proceedings of the 2007 IEEE International Workshop on Memory Technology, Design and Testing, Taipei, Taiwan, 3–5 December 2007; pp. 61–64.
  17. Zhong, Y.; Yamaki, H.; Yamaguchi, Y.; Takakura, H. Charging Me and I Know Your Secrets! Towards Juice Filming Attacks on Smartphones. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, Kyoto, Japan, 22–26 July 2013.
  18. Meng, W.; Lee, W.; Liu, Z.; Su, C.; Li, Y. Evaluating the Impact of Juice Filming Charging Attack in Practical Environments. In Proceedings of the 20th Annual International Conference on Information Security and Cryptology (ICISC), Seoul, Korea, 29 November–1 December 2017.
More
ScholarVision Creations