We’ve all been there: stranded in a coffee shop with a dying phone battery and no adapter on hand, only to spot a free USB charging station nearby. Relieved, you plug in your device and go about your business, unaware of a potential threat lurking within that innocent-looking USB port. That risk is “juice jacking,” a cybersecurity threat that’s gained enough attention in recent years to warrant a cautionary notice by the FBI.
So what exactly is juice jacking, and how much of a risk is it really? Here’s everything you need to know, plus some tips on how to keep your devices safe while charging on the go.
Hadlee Simons / Android Authority
Juice jacking is a type of attack that exploits portable devices such as smartphones when you plug them into a compromised USB port. Rather than simply providing power for charging, such ports also establish a data connection with a computer or storage device behind the scenes. This in turn allows attackers to copy data from your device, infect it with malware, or hold your files hostage in exchange for a ransom.
Juice jacking has become an increasingly tangible risk over the past decade as more and more of our devices have switched to using USB. Moreover, we’ve become accustomed to storing a lot of sensitive data on our smartphones — everything from personal photos to emails and financial records.
Simply put, the versatility of USB enables juice jacking attacks.
Since we often cannot peek behind most public chargers, it’s impossible to know if there’s a malicious computer on the other side of the wall that’s waiting to establish a connection. By deploying even a single compromised USB port, an attacker can siphon data from thousands of devices over time. Luckily, juice jacking attacks are difficult to execute at scale and aren’t known to be widespread.
Still, knowing about the threat of juice jacking is important, especially as it does not end at simple data theft either. An attacker could use this attack vector to install malware on your device that remains dormant for a while. Then, it can execute in the background when you don’t expect it.
For example, the malware in question could be an app that logs your keyboard input or accesses your device’s camera and microphone in the background. These tasks may sound far fetched for a malicious app, especially as Android and iOS have become quite secure in recent years. However, even Apple hasn’t been able to stop highly advanced spyware tools like Pegasus from proliferating and infecting devices.
The term juice jacking was first coined in 2011, when security researcher Brian Markus deployed a free charging kiosk at a hacker conference to inform attendees of the potential dangers of plugging into untrusted USB ports.
As I alluded to in the previous section, juice jacking takes advantage of the fact that most of our electronic devices rely on USB for charging these days. This is problematic because USB is popularly used for everything from display output to file transfer. The interface can also be used to programmatically control your smartphone via Android Debug Bridge (ADB).
The idea is that when you plug your smartphone into a compromised USB port, the charging station can also simultaneously establish a data connection with your device. So despite its convenience, the versatility of modern USB standards also makes it equally useful to attackers.
Take the O.MG Elite cable as an example — a “hand made USB cable with an advanced implant hidden inside.” The cable looks normal on the surface, but it actually has a full blown Wi-Fi server built in. This allows it to download malicious code, execute it on a connected device, and exfiltrate any data back to the attacker. And when it’s done, it can self-destruct to eliminate any traces of the malicious payload. At $179.99, the O.MG cable isn’t cheap but it demonstrates the scary potential of a juice jacking attack.
Mishaal Rahman / Android Authority
Regardless of whether you use Android or iOS, your phone uses full device encryption in conjunction with a secure enclave on the SoC. This makes it nearly impossible for common malware to infect your device as long as you don’t unlock it. However, the real risk comes in when you input your PIN or biometrics — if your device has security vulnerabilities, plugging it into a compromised USB port could potentially infect it. Of course, it’s worth repeating that the chances of this happening are quite slim.
To harden your device against juice jacking attacks, follow as many of these practices as possible:
While the risk of your device falling victim to a juice jacking attack is fairly low, protecting yourself is fairly easy. In fact, simply keeping your device’s software up-to-date is the best course of action.