Never thought you’d have to worry about cyberattacks from just plugging in your phone at a charging station? Here’s what to know about it and how to protect your devices from this USB charger hack
When most people think of cyberattack methods and threats, they think of insecure network connections, phishing emails, and malicious websites. They don’t think of a cybercriminal hijacking a public USB power station. So, if you’re someone who typically whips out a USB charging cable at these public ports when your device battery is approaching 0%, you may want to reconsider. That’s because you may be leaving your phone or other mobile device open to a type of illegal hacking known as “juice jacking.”
Although the term sounds like some sort of energy drink marketed to teenage boys, juice jacking is a serious cyber security threat for businesses and consumers alike. Juice jacking USB ports is a tactic that cybercriminals have been using for several years, although it’s still a relatively unknown threat to cyber security, information security, and user privacy as a whole. This may be, in part, because there aren’t many known cases of such attacks occurring… yet.
But what exactly is juice jacking? How does it work and, really, why should you care?
Let’s hash it out.
Juice Jacking USB Ports: Not Your Typical Cyberattack Channel
Juice jacking refers to a type of cyberattack in which they commandeer a charging port that doubles as a data connection. Essentially, cybercriminals hijack your power supply (hence “juice” jacking) channel and use it for their own nefarious deeds. They do this to install malware on a victim’s device and/or steal data. This process can include installing tracking programs and mirroring their screen to see (and record) any passwords and PIN codes they enter while the device is charging. Hence why juice jacking is also sometimes known as “juice filming” or “juice filming charging attacks.”
So, for example, this means that when one of your employees innocently plugs their company-issued mobile device into a public USB port during a layover at the airport, a cybercriminal could be nearby, waiting to use that connection to launch an attack against that device.
In some ways, juice jacking is similar to credit card skimming scams (you know, the scams that have been all over the news that involve stealing debit and credit card information from ATMs, gas station pumps, etc.) because it involves a cybercriminal setting up a malicious device over a real charging station port or cable that appears to look like the real deal. Because you can frequently find these public USB charging ports in airports, hotels, and even some modern shopping centers, they make ideal targets for cybercriminals to use to their advantage.
Although this tactic is largely still theoretical in many ways (because it’s not been studied in the wild), it’s a great opportunity for hackers and bad news for the rest of us.
The Origins of Juice Jacking: How the USB Charger Hack Got Its Start at Def Con
In 2011, Aries Security researchers Brian Markus and Joseph Mlodzianowski, and Robert Rowley, built and placed a compromised free charging kiosk in a venue known as the Wall of Sheep at DefCon, the world’s largest hacking and security conference that’s held each year in Las Vegas. The Wall of Sheep (named such because they used to actually post people’s names on a wall) is a space that’s known for exposing individuals who demonstrate poor security hygiene to help educate on the dangers of engaging in insecure behaviors. It’s the wall of “honor” on which no IT or cybersecurity expert wants their name to be featured.
According to a 2011 article from Brian Krebs at krebsonsecurity.com, the researchers’ goal was to educate conference-goers about the dangers of charging their devices at random power stations. To make their station enticing, they equipped it with various types of charging cables that would work with the majority of mobile devices they’d expect to find at the conference.
Considering that this is in a room of hackers and security experts, one would think that this would be a no-brainer. But they were surprised (and disappointed) to find out that some people will stop at nothing to ensure their devices have enough juice to get them through the day.
In his article, Krebs goes on to say: “In the three and a half days of this year’s DefCon, at least 360 attendees plugged their smartphones into the charging kiosk.”
Why You Should Care About Juice Jacking
Although industry experts agree that juice jacking isn’t necessarily a widespread threat, it’s still enough of a concern that the Los Angeles County District Attorney’s Office decided it was necessary to declare juice jacking as a security threat to travelers during the last holiday season.
Perhaps, part of the reason it’s not viewed as a major mainstream threat within the cyber security community is because there really aren’t any verified cases of juice jacking. Malwarebytes reports that “this attack method has not been documented in the wild, outside of a few unconfirmed reports on the east coast and in the Washington, DC, area.”
Most people view public USB ports as convenient solutions for dying mobile devices while on the go. And, in all reality, they are — but as you’re learning, this convenience doesn’t come without risk.
Frankly, we’re not sharing this information to cause wide-spread panic or to make you paranoid. We’re not handing out tinfoil hats here, so there’s no reason to presume that all charging kiosks in public spaces are inherently malicious. We just want to inform you about the risks so you and your employees can make informed decisions about how and where to charge mobile devices. Personally, I always err on the side of caution and prescribe to the “better safe than sorry” mentality when it comes to protecting my devices and data.
Did You Know? There’s More Than One Type of Juice Jacking
Yeah, there are actually two types of juice jacking. Juice jacking is a broad enough category that it doesn’t just involve the use of malicious or compromised USB wall chargers for data theft. It also includes the use of compromised smartphone charging cables.
So, basically, juice jacking attacks typically fall under one of two categories:
- Data Theft: This type of juice jacking occurs when victims plug their devices into compromised or fake charging stations using their data-transmitting USB cables. This allows users to steal information, including passwords and pins.
- Malicious Installations: This type of juice jacking involves the victims using compromised mobile device accessories such as charging cables (such as an O.MG cable, which has a hidden microchip inside of a USB-C cable). Such a device looks like a regular lightning charging cable, but it’s essentially a phone charger that steals your info. Hackers could potentially use these compromised cables to transmit malicious payloads from your device to a nearby device that they control that’s within Wi-Fi range.
What Manufacturers Are Doing to Fight USB Device-Related Threats
While it’s true that manufacturers like Apple and Microsoft are continually trying to fix and patch vulnerabilities in their devices, they aren’t aware of every potential exploit. That being said, Apple, for example, now requires devices running iOS 11.4.1 or later versions to be unlocked before they will recognize and use an accessory such as a charging account.
Apple’s iOS Security Guide update from May 2019 (for iOS 12.3) defines its USB restricted mode as aiming to do the following:
To improve security while maintaining usability, Touch ID, Face ID, or passcode entry is required to activate data connections via the Lightning, USB, or Smart Connector interface if no data connection has been established recently. This limits the attack surface against physically connected devices such as malicious chargers, while still enabling usage of other accessories within reasonable time constraints. If more than an hour has passed since the iOS device has locked or since an accessory’s data connection has been terminated, the device won’t allow any new data connections to be established until the device is unlocked. During this hour period, only data connections from accessories that have been previously connected to the device while in an unlocked state will be allowed. Attempts by an unknown accessory to open a data connection during this period will disable all accessory data connections over Lighting, USB, and Smart Connector until the device is unlocked again.”
How to Protect Your Organization’s Endpoint Devices Against Juice Jacking
So, if cybercriminals can potentially hijack USB charging stations to carry out their attacks, what can you do to protect your organization’s devices against these types of threats?
Train Employees to Recognize Threats (Like Juice Jacking) and Respond Accordingly
While we’ve certainly preached about the importance of cyber awareness training for employees, this is definitely an area that employees can use training. Whether it’s educating them about why they shouldn’t plug data-transmitting USB cables into public USB ports or informing them about why they need to use a virtual private network (VPN) any time they’re connecting to a non-work network, cyber awareness training is a valuable investment in the defense of your organization.
If, for some reason, they still need to plug a USB device into a public USB charging station:
- Use only USB devices from reputable, trusted suppliers.
- Avoid using free, promotional USB charging cables because they could be infected (according to a report in The New York Times).
- Don’t ever use plugs that were left plugged into public USB charging stations.
Also, ensure they understand the importance of selecting “decline” when they’re asked whether to trust the connected device.
Assign Employees a Power Bank as a Backup Power Supply
Don’t want your employees to risk using a public USB charging station? Give them an alternative by giving them a power bank to use while out of the office. Although it’s true that power banks have limited charging capabilities, they’re likely able to provide enough power to the employee’s device to hold them over until they’re in a location that has a traditional AC power wall charger.
Require Employees to Use USB “Condoms” or Power-Only USB Cables in Public
While the former may sound like we’re venturing into NSFW territory, USB condoms are actually devices that can be used as a buffer between your data charging cable and a public USB port. Essentially, they’re data blockers. Much like how a traditional condom blocks other things, the purpose of the USB condom is to block data from being transmitted between the cable and the USB port.
When in Doubt, Go the AC Charging Route
Otherwise, another solution is to provide your employees with “old school” AC adapters for their device or power-only USB cables. These options allow users to only charge their devices using standard AC power outlets or the freedom to continue using public USB ports but without the risk of juice jacking or data hijacking.
Regardless of the term that you prefer using — juice jacking, juice filming, etc. — this type of practice is a threat to individual consumers and businesses alike as society becomes more dependent on mobile devices. While it may not be as big or widespread as a threat as phishing and ransomware attacks, it’s still something to be cognizant of.
As we all know, hackers are looking for new and creative ways to infiltrate devices. Whether their goal is to steal their victims’ personal information or to gain access to their employers’ networks, juice jacking is a threat that simply can’t be ignored. This is why we’re taking the time to bring this threat to your attention. So not only you’re aware, but so you can inform your organization’s leadership and employees as well.