Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday November 17 2019, @11:48PM   Printer-friendly
from the acting-before-the-problem-arises? dept.

Submitted via IRC for SoyCow1337

LA warns of 'juice-jacking' malware, but admits it has no cases – TechCrunch

Los Angeles’ district attorney is warning travelers to avoid public USB charging points because “they may contain dangerous malware.”

Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”

But the county’s chief prosecutor’s office told TechCrunch that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast. When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”

Which begs the question — why?

[...] Security researcher Kevin Beaumont tweeted that he hasn’t seen “any evidence of malware being used in the wild on these things.” In fact, ask around and you’ll find very little out there. Several security researchers have dropped me messages saying they’ve seen proof-of-concepts, but nothing actively malicious.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by VLM on Monday November 18 2019, @02:54PM

    by VLM (445) Subscriber Badge on Monday November 18 2019, @02:54PM (#921513)

    The weird dancing around in their language is because hired penetration testers have an absolute hardon for trojan horse chargers and it seems like every hired gun pen tester has a modified charger with special hardware they'll leave a microUSB cable to it laying around a waiting room or conference room and when anybody plugs in a device to charge it'll get logged and when they report that incredible security breach, then they slap each other on the back or on the ass or whatever folks like that do, as if they just shot a 48 point buck during deer season or as if some wanker plugging in his rechargeable vape dong is equivalent to powning the finance dept payroll laptop.

    And there are well known incidents where the pen testers celebrate their "charger" logs proving they couldda powned a visiting CEOs cell phone thus proving their infosec theater is worth hiring them again for even more money, then later on security camera footage shows "the theoretically compromised device" is actually the receptionist charging her rechargeable remote vibrator when she thinks no one is watching and its all whoopsie daisy I guess we powned nobody but that receptionist is kinda hot so its all good anyway or something.

    99.99% of "hacked chargers" are legally owned and operated by pen testers hired by the IT department, but we have to pretend its "real infosec in action" and not just dumb security theater.

    That's where it gets really weird in the linked article language where "everybody knows" that all pen testers have a "hacked charger" for their security theater purposes, but all orgs that have ever hired pen testers likely had to sign a NDA as to not admitting techniques publicly so we all have to pretend its never happened despite everyone knowing everyone does it and you can buy stuff like this online or just stick some dual USB dev boards inline with a real charger and some simple logging firmware (theres some great STM32 boards for this with dual USBs, one for power/debugging and one officially-HID-use port to log "security incidents" where someone plugged in). Its the security theater equivalent of admitting everyone masturbates and its frankly just about as useful and important... and profitable.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3