Connecting an unsecured iPhone or iPad to the new port may result in an unwanted infection. “Juice jacking” and “trustjacking” are two ways to contract digital diseases, but there are ways to protect yourself.
You may not have thought about cybersecurity before when charging your iPhone on the go, but this Lightning cable can transfer data as well as power. Here are possible vulnerabilities and ways to minimize the risks.
What is “juice jacking”?
Smartphones and tablets use the same port for charging and data transfer. “Juice jacking” exploits the possibility that the owner can plug their device into a malicious or compromised charging port, which can then be used to steal data from the device.
Earlier, iOS devices were more vulnerable to hacking, since authorization was not required to connect an iOS device to a PC. However, when iOS 7 was introduced in 2013, that was no longer the case.
How to prevent juice jacking
When you connect your iOS device to a computer, iOS 7 prompts you to “Trust this computer? Your settings and data will be available from this computer when connected via USB or Wi-Fi.” You can then select “Trust” or “Don't trust”.
The wording was later changed to “Allow this device to access photos and videos? This device will be able to access photos and videos as long as it is connected to your iPhone.” You can then select “Allow” or “Don't Allow”.
If you select Do Not Allow, juice jacking cannot occur. If you see this message when you connect your device to a charge-only port, it is most likely an attacker attempting to transfer data or install malware.
While this — if rejected — effectively prevents juice hacking on iOS devices, a related vulnerability was discovered in 2017 called “trust hijacking”.
What is trustjacking?
Symantec, a cybersecurity software company, discovered a way by which another user can control the owner's iOS device over Wi-Fi, even if it is no longer connected to the malicious socket with a cable.
It works by using the iTunes Wi-Fi Sync feature, which (as the name suggests) allows you to sync your iOS device with the iTunes software on your computer over Wi-Fi when they're not physically connected to each other. .
Selecting Allow when connecting an iOS device with a cable allows the computer to communicate with it using the iTunes API. Although this method still depends on whether the owner trusts the connected computer, it allows an attacker to permanently control the device at a high level after the physical connection is broken.
Trustjacking allows an attacker to backup iTunes and install apps, all without the owner's notification or consent. Extracted backups may include iMessage & SMS chats as well as application data. In addition, applications installed on the device can be secretly replaced with malicious ones that can collect sensitive information and user activity data.
Although the use of iTunes Wi-Fi Sync is limited when the computer and iOS device are connected to the same Wi-Fi network, trustjacking can potentially be combined with a malicious profile attack and the use of a VPN. to maintain constant access. However, the risk of this occurring is low and only applies to devices enrolled in an organization's MDM program.
Apple's response to trustjacking
To mitigate the problem of unauthorized access, Apple introduced an additional step with the release of iOS 11 in 2017. This added a requirement to enter a device password when Allow is selected to ensure that only the owner of the iOS device can authorize the data connection.
However, if authorized, this still does not stop iOS device management by iTunes Wi-Fi sync after unplugging the cable, and does not warn the user of this possibility, so the vulnerability was only partially addressed.
How to reduce the risk of trustjacking
As far as we can tell, trust breaches continue to be a risk for all iOS and iPadOS devices. Fortunately, there are several ways to minimize this risk as a device owner.
Firstly, if you suspect that an unwanted computer has access to your device, you can revoke access to all trusted computers. After that, you will need to re-authorize all computers to which you want to connect your device.
- Go to Settings
- Click Transfer or reset iPhone/iPad
- Click Reset
- Select Reset location and amp; Privacy
- Then enter your device password to confirm.
You can also encrypt your iTunes backups to prevent potential attackers from reading the information. To do this, connect your device to a computer you trust.
How to encrypt local backing up your iPhone
- For Mac computers, open Finder, and for Windows PCs, open iTunes.
- > On the General or Summary tab, navigate to the Backups section.
- Check Encrypt local backup.
Finally, remember that a data connection is not required if you just want to charge your iPhone or iPad, so always select Don't allow if you don't send data. And if you're not the owner of the computer you're using, it's probably best to revoke access after you're done.