July/August 2019 I 5
From the President, Jeff Beavers, RCDD, OSP, CFHP
“JUICE JACKING” PUTS THE
SQUEEZE ON PRIVATE DATA
Physical security and cybersecurity are becoming similar
to the blurred lines of voice and data. With the advent
of IP-based technologies, physical and cybersecurity
now go hand in hand.
The term “belt and suspenders” is a metaphorical
idiom meaning that a person or enterprise wearing both
a belt and suspenders is very, if not overly, cautious. A belt
and suspenders achieve the same task—to hold up pants.
As the saying goes, “just because I'm paranoid doesn't
mean they are not out to get me.” In other words, just
because I am wearing a belt, it does not mean it still
cannot fail its task.
In technical terms, the suspenders can be redundant
and/or diverse. The belt provides the mission critical role
of holding up the pants. The suspenders offer some level
of operational resilience. The belt and suspenders are the
physical security; cybersecurity assures pictures of wardrobe
malfunctions from failing belts and suspenders do
not find their way to the internet.
“Juice jacking,” a term I have read about recently,
is a form of cyberattack when hackers secretly modify
a USB port to install viruses or inject code to gain access
to personal or sensitive corporate data. The proliferation
of public device charging stations at airports, business
centers, hotel lobbies or other public places opens
a plethora of opportunities for juice jacking hackers.
People often forget that their smartphones are
actually computers.
Convenience for the technology consumer in a data
driven world introduces another risk. The codes we follow,
such as the National Electric Code (NEC), do not explain
the wrong ways to perform tasks, only the proper ways.
It would be innumerable otherwise, as humans are too
creative with the wrong ways of accomplishing tasks,
and there is no end to the creativity of some humans when
it comes to nefarious activities. The USB connection is one
example that people and codes have given little thought
to as a source for cyber threats.
USB cables permit the supply of power and data
simultaneously. When the USB port is to charge a phone’s
battery, hackers utilize the data stream while the device is
charging. Cybersecurity researchers claim that it takes less
than a minute to gain full access to the electronic device
and retrieve photos and contact information. Many
electronic devices are configured to dump their data
when making a connection with a USB cord. Even if the
user attempts to manually disable the USB transfer mode
by selecting the charge only option, the device is predisposed
to transfer the data whereby the hacker establishes
a trusted relationship with the device.”1
Even a cord left behind by an opportunistic data thief
leaves a person or enterprise vulnerable. While having
scored a free innocent-looking Apple Lightning cable,
the moment it is plugged into the device an extra chip
that deploys malware begins accessing data.
“The 2019 IBM X-Force Threat Intelligence Index reveals
that the transportation industry has become a priority
target for cybercriminals as the second-most attacked
industry—up from tenth in 2017. Since January 2018,
566 million records from the travel and transportation
industry have been leaked or compromised in publicly
reported breaches.”2
Like many BICSI members, I spend much time traveling.
Now, I realize that many airports, despite how strong their
belts, suspenders, and cybersecurity are, have failed at the
task of stopping much of the juice jacking. However, we
can tighten our own belts and suspenders by refusing to
drink the “juice” and practice smart security measures,
such as using your own power adapter, portable power
bank or purchasing an inexpensive juice jack-defense
product. Furthermore, we need to practice our own
cybersecurity by being aware of USB cables and anything
that plugs into mobile devices or computers at work, home,
and public places.
Where is that lock box when we need it?—the lock box
promised during the 2000 presidential campaign that
ensured our Social Security funds would always be there.
We are in an era of exponential technology growth. The
risks in a data driven world are increasing exponentially—so
too are the methods, processes and equipment to protect
it and us.
Be safe; someone is counting on you.
REFERENCES:
1. Danley, Chuck, Juice Jacking: USB as an Attack Vector,
Jul 3, 2017, Leaderquest. https://www.leaderquestonline.
com/blog/juice-jacking-usb-attack-vector/
2. Kelleher, Suzanne R. Why You Should Never Use
Airport USB Charging Stations, May 21, 2019, Forbes.
https://www.forbes.com/sites/suzannerowankelleher/
2019/05/21/why-you-should-never-use-airport-usbcharging
stations/#324eba9b5955