Public Charging Stations are not safe!
“Juice jacking” is an ever-present threat
Airports, fast-food restaurants, airplanes, trains, taxicabs and many public areas now have USB charging stations. The vice president of threat intelligence at X-Force Red, IBM’s elite penetration testing team, issued dire warnings about the risks associated with public charging stations with the following comment, “Plugging into a public USB port is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth, You have no idea where that thing has been.”
In 2011, veteran infosec journalist, Brian Krebs, coined the term “juice jacking” to describe exploits that utilize a free public smartphone charging terminal for installing malware on your device. Juice Jacking is the mobile tech equivalent of credit card skimming at the gas pump.
Juice Jacking is one of the most underrated security threats but it is serious, nonetheless. A cybercriminal can use free public charging spots to take complete control of your smartphone and inject malicious code. The technical tools required to compromise a public USB charging port is readily available.
USB ports don’t merely provided power, they were designed to transfer data between devices. Although your phone and laptop aren’t supposed to accept data from a USB port without your permission (which is why the “Trust This Computer?” prompt exists on iPhones), it is possible to weaponize a USB port and push malware to a connected phone.
USB-based charger attacks against mobile devices are not theoretical.
You should take common sense precautions to avoid exposure to systems that may provide malicious access to your personal devices. Plan for the worst-case scenario and take sensible precautions when you use computer charging stations.
What’s the Danger?
There’s nothing stopping a compromised USB charging port from trying to access private data on your phone or exploit a security vulnerability and run dangerous code on your device. Fortunately the latest model iPhone will prompt you to “Trust This Computer” when a device you’re plugged into wants access. Apple just added “USB Restricted Mode” to the iPhone and iPad to prevent them from being attacked by password-cracking tools connected to the Lightning data port.
If you have an Android phone, there are bigger risks. Many current Android devices from eight different manufacturers including Samsung, LG, and HTC are vulnerable to AT commands be sent over a USB cable. These AT commands are still the same as they were decades ago during the early days of dial-up telephone modems and they increase the vulnerability of smart phones..
How to avoid juice jacking
The most effective precaution is simply not charging your phone using a third-party system. The most obvious precautions center around simply making it unnecessary to charge your phone using a third-party system. Whenever possible, avoid connecting your phone or other portable electronic device directly to any public USB ports.
Keep your battery full. Make it a habit to charge your phone at your home and office when you are not actively using it.
Carry a personal charger/power bank/portable charger. This is the safest and most convenient solution. Don’t leave home without one. Chargers have become very small and portable. Always have one in your bag so you can charge your phone securely from a power outlet or on the go using a power bank.
Just plug the phone into the battery to charge it whenever you like. When you find an AC outlet, just plug your battery into the outlet to recharge it. You can also do both at once—plug the battery into the outlet and the phone into the battery. You’ll be charging both your battery and phone at the same time, and it’s safe. Charging the portable battery rather than your device directly, isolates your device from the USB charging outlet.
Search for a conventional AC outlet.
For both safety and maximum charging speed, avoid public USB charging ports and search for an electrical outlet. Plug your phone’s standard charger directly into the AC outlet and charge from there. Electrical outlets don’t allow data to be transferred so you will be safe from malware.
Lock your phone.
In a situation where you have no choice but to charge your phone or other portable electronic device with a public USB charging port, you can power off the device completely and then plug it in. Powering the smartphone off doesn’t allow transfer of data.
When your phone is locked—truly locked—and inaccessible without the input of a PIN or equivalent passcode, fingerprint scan, or face ID, your phone cannot be paired with the device it’s connected to over a USB public charging cable. Beware, however, pairing takes place within seconds so you had better make sure the phone really is locked and powered off before it is connected to any public USB charging port.
Technology threats surround us. What might seem like a benign, generic USB port or charging cable can install malware or steal data from your smartphone or laptop. Malware can be lurking within these increasingly ubiquitous public USB ports and when you connect your phone or another power-thirsty device portable electronic device, the port can transfer not just power, but malware, too.