PeopleImages/Shutterstock
In general, plugging your phone into unknown devices or outlets, such as a computer, storage devices, or any other type of thumb drive, is not a safe move. So, how about those free charging stations you can find at airports or kiosks in public places, some of which even charge a nominal fee? Well, they are technically a risky choice. How so? For a decade now, there has been a hot debate around an attack vector called juice jacking. The whole idea is that a USB interface, seemingly available for charging phones and other electronic gadgets, can be rigged by hackers to seed malware for malicious activities.
The best way forward is to avoid such charging outlets. But you never know when you might find yourself in a situation where your phone is about to die, and you can't find a charging outlet. Or, simply don't have the charging kit handy. For such scenarios, experts recommend USB blockers, like this $15 drive from Offgrid. You can also find data-blocking USB drives that cost nearly half as much. Alternatively, you can invest in specialized cables — such as this one from Plugable — that lack data lanes but support up to 240W of power draw.
Their sole objective is to ensure that, except for electrical power, nothing else passes through the USB interface. Simply put, if bad actors have modified a USB port(s) at a charging station, that port won't be able to transfer any corrupted data into your phone. Instead, the USB dongle's entire functionality will be locked to simply transferring power and charging your device.
A deceptively simple threat vector
Yunava1/Getty Images
In 2011, at the well-known DefCon convention, two cybersecurity experts demonstrated that USB charging outlets are vulnerable. The two experts installed a free charging kiosk at the venue, and over 300 visitors plugged their phones into it, only to be greeted by a warning message. "If I can make it happen, and I can dupe hundreds and hundreds of the top professionals around the world into using it, then I think the average citizen around the block is going to fall for it," one of the experts behind the idea told Vox.
The fundamental idea behind juice jacking is that USB-based devices — drives and cables — serve a dual purpose. They can transfer electrical power and enable two-way data movement, as well. The latter is where the risks raise their head. So far, there hasn't been any reporting of mass exploitation or abuse of public USB charging stations to seed malware, but the threat seems to persist. And when state governments, district administrations, and cybersecurity firms start flagging the risks, it's better to play it safe than feel sorry after the damage is done.
About two years ago, the Federal Bureau of Investigation (FBI) issued a warning about using public charging stations at airports, restaurants, and transportation hubs. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices," the agency wrote. Over the years, Apple has built a system that only allows data transfer with a USB connection if users manually designate it as a "trusted" device. Android devices also default to charging-only mode, unless users change the behavior to allow data transfer, as well.
Plenty of skepticism, but it's best to play it safe
Manuel Milan/Getty Images
When the FBI first issued the warning about the risks of using public charging stations, it was widely covered. However, there's also plenty of skepticism around the real risks. "There isn't much evidence to show that 'juice jacking' is a widespread problem," Zulfikar Ramzan, the chief scientist at the consumer cybersecurity company named Aura, told Slate. Andy Thompson, a cybersecurity evangelist at CyberArk, also told the outlet that something like juice jacking doesn't exist. The experts added that it's a risk if viewed from a proof-of-concept perspective.
Simply put, it's technically possible, and as such, poses a realistic threat. Cybersecurity expert Mike Grover told ArsTechnica that "it's not something that is worth stressing about for the general public." But just because something is technically feasible, doesn't mean it can be — or has been — deployed for widespread juice jacking. The lack of evidence, or victims who can conclusively prove that juice jacking attacks targeted them, is pretty surprising, especially when agencies such as the FBI and FCC jump into the debate.
"Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator," said an FCC notice. However, the webpage has now been withheld from public access, though you can still read archived versions. When the outlet reached out to these agencies, it didn't receive any details on actual cases or victims of juice jacking. In 2019, the LA district attorney's office also issued a similar warning, but when TechCrunch asked whether any recorded harm had occurred, the office replied that it hadn't logged any actual cases. But just to be on the safe side, it's worth spending ten bucks, or fewer, to keep your phone safe.
