‘Juice jacking’ is a security exploit in which an infected USB charging station is used to compromise connected devices.
FBI warns consumers against using free public charging stations. The agency claims that criminals have successfully hijacked these public chargers to infect devices with malware or software that can give hackers access to your phone, tablet or computer, CNBC reports.
“Avoid using free charging stations at airports, hotels or malls,” said a tweet from the FBI’s Denver field office. “Criminals have discovered ways to use public USB ports to sneak malware and spyware onto devices. Bring your own charger and USB cable and use a power outlet instead.”
The FBI offers similar guidance on its website for avoiding public chargers. The bulletin does not mention any recent cases of harm to consumers as a result of juice jacking. The FBI’s Denver office said the message was a warning and that there was no specific case prompting it.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
Juice jacking, the hidden danger of charging stations
The Federal Communications Commission has also warned about juice jacking, as this malware loading system has been known, since 2021.
Juice jacking is a security exploit in which an infected USB charging station is used to compromise connected devices. The exploit takes advantage of the fact that a mobile device’s power supply runs through the same USB cable that the connected device uses to sync data.
An exploit is a computer program, a piece of software or a script that takes advantage of a bug or vulnerability to cause unintended or unexpected behavior in software, hardware or any electronic device.
Exploit juice jacking is a security threat in airports, shopping malls and other public places that offer free charging stations for mobile devices. The risk of falling victim to a juice jacking attack is considered low, but the attack vector is real and is often compared to ATM card theft attacks of the past. Both juice jacking and card theft rely on the end user trusting that the compromised hardware is safe to use.
How juice jacking works
Juice jacking is a hardware-centric MitM (Man in the Middle) attack. The attacker uses a USB connection to load malware directly into the charging station or infect a patch cable and leave it plugged in, hoping that some unwary person will come along and use the “forgotten” cable.
Juice jacking exploits work because the same port used to charge a device can also transfer data. A USB connector has five pins, but only one is needed to charge a connected device and only two of the five pins are used to transfer data. It is this architecture that allows the end user to move files between a mobile device and a computer while the mobile device is connected to the charging station.
USB ports and phone charging cables are the most common devices used in juice-jacking attacks. Other less common devices that can be used in these types of exploits include USB ports on video game consoles and portable battery power banks.
How to protect against juice jacking
Juice-jacking allows an intruder to copy sensitive data from a mobile device, such as passwords, files, contacts, text and voice messages. Individuals may not realize they have been the victim of an attack or may have no way of knowing how the attack occurred once they realize their device is infected. Users can protect themselves from juice-jacking attacks by purchasing a protective accessory called a “USB condom.” This device is a device that plugs into a charging cable and is placed between the device’s charging cable and the public USB charging station.
The “USB condom” works by blocking connections to all but one pin of the USB male connection: the pin that transfers power. The condom prevents the transferring pins from establishing a connection, while still allowing the device to charge.
Another way to prevent this type of attack is to avoid using chargers that are left plugged into the power outlet. In addition, it is a good practice to keep devices and software programs up to date and never accept free promotional charging devices or from unverified sources or individuals.