Aug. 24, 2011
by Suzanne Cluckey
The automated charging machine has been a boon to kiosk manufacturers and deployers, offering revenue streams that were unimaginable in the days before the mobile device became an essential travel tool and time filler during airport layovers.
But a possible threat to that business recently came to light at the 2011 computer hackers conference DefCon 19 held earlier this month in Las Vegas. Security risk assessment firm Aries Security installed a phone-charging kiosk at the conference hotel that warned users that it was capable of downloading data from — or uploading malware to — the individual's mobile device, a practice known by the sinister-yet-catchy descriptor, "juice jacking."
According to Aries, the increasing prevalence of smartphones, which use the same port to charge the phone and sync data, means that enterprising criminals could install systems on charging kiosks that would suck down data. This information could then be exploited for any number of uses, just like any other hacked computer files.
While Aries did not reveal — for obvious reasons — the methods used to alter a kiosk to enable juice jacking, conference-goers got the idea and started chattering about it. The story has now made its way from independent blogs to PC World, MSNBC.com's Technolog and business and financial news aggregator The Street.
At this point, word about the DefCon demo is still limited to the Web. But as most scary news items do, this one will surely make the jump eventually to mainstream media, where, as most scary news items do, it will surely become a big deal.
Not everyone is convinced that juice jacking constitutes a real and present danger, though.
David Drain, executive director of the Digital Screenmedia Association, which represents the interests of the interactive kiosk industry, says that kiosk deployers themselves would have nothing to gain by accessing their customers' data.
"I'm not saying it couldn't happen," Drain said. "I'm just saying that either [kiosk operators] are charging a fee to charge your phone or they are displaying advertising and letting you charge your phone for free because you're sitting there while your phone is getting charged, watching. So it's not in the interests of any of these companies that make the kiosks to do anything like what they're suggesting."
In some instances, kiosks are actually incapable of data download. The KEO charging kiosk designed by Frank Mayer & Associates and deployed by KEOConnect at airport-based Hudson News shops is one example.
"We made sure that in our design, there were no data lines in the cables that are connected from our system to the handset," said Ron Bowers, senior vice president of business development for Frank Mayer & Associates. "There are no data paths between the handset and the host computer, so it would be impossible to download data."
In such a case, said Bowers, data hackers would have to gain access to the interior of the kiosk and install their own skimming system. To retrieve data, thieves would either have to break into the kiosk again or link it to the kiosk's network, which they would then have to hack into. All of which Bowers says would be virtually impossible.
"The network is completely secure," he said. "The typical network security steps have been taken, but also making sure [network security] was one step above what was typically required or certified.
"The physical security of the kiosk design prevents hackers from accessing the unit itself. The doors, the media player do not have any accessibility or the ability for anybody to put a skim unit on it."
Neither all kiosks nor all kiosk locations are created equal, however. Theoretically it would be possible for criminals to gain physical access to an improperly secured unit in a low-traffic location. But this raises the question whether the level of usage in such a location would make the risk worth the gain for thieves.
Also theoretically, a kiosk that used standard charging cables could be susceptible to a classic computer hack, assuming that those data lines were connected in some way to the kiosk network. But there, the question is what possible reason the kiosk designer could have to design such a connection into the machine except to steal data.
And that brings up what represents probably the greatest (but still dubious) likelihood for a juice-jacking scheme: charging kiosks that are designed and deployed by criminals with the express purpose of stealing data.
This is where the DefCon can actually show the industry the way to building greater security and trust with consumers, Drain said:
"No one's saying that [juice jacking] has happened. They're saying that this theoretically could happen. So we just have to educate people, and certainly that does place some onus on some of these cell phone-charging kiosk manufacturers to assure the public that their devices are safe and the consumer's data will be safe."
Providers of cell phone charging services also need to educate customers about choosing and using charging kiosks, Drain said. This would include avoiding a kiosk that looked in any way suspicious or that was placed in a suspicious location.
Bowers mentioned additional common-sense measures the industry could educate consumers about.
"It's really very simple things," Bowers said. "There is a switch on your phone that you can turn off so that you cannot download information unless a password is put in. And the other thing ... when I use a charging system, I turn my phone off completely. It is a very easy way to protect against anything like this happening."
Ultimately, it will be up to cell phone-charging kiosk designers and deployers to stay ahead of the hackers. Said Bowers, "It's kind of our responsibility when we create a kiosk to be an advocate for the consumer that's going to use it and come up with a solution that will protect them."
For more information on kiosk systems, visit our Hardware and Software research centers.