Tech
What is juice jacking? Why you shouldn’t use public USB charging ports
We’ve all been there: stranded in a coffee shop with a dying phone battery and no adapter on hand, only to spot a free USB charging station nearby. Relieved, you plug in your device and go about your business, unaware of a potential threat lurking within that innocent-looking USB port. That risk is “juice jacking,” a cybersecurity threat that’s gained enough attention in recent years to warrant a cautionary notice by the FBI.
So what exactly is juice jacking, and how much of a risk is it really? Here’s everything you need to know, plus some tips on how to keep your devices safe while charging on the go.
What is juice jacking?
Hadlee Simons / Android Authority
Juice jacking is a type of attack that exploits portable devices such as smartphones when you plug them into a compromised USB port. Rather than simply providing power for charging, such ports also establish a data connection with a computer or storage device behind the scenes. This in turn allows attackers to copy data from your device, infect it with malware, or hold your files hostage in exchange for a ransom.
Juice jacking has become an increasingly tangible risk over the past decade as more and more of our devices have switched to using USB. Moreover, we’ve become accustomed to storing a lot of sensitive data on our smartphones — everything from personal photos to emails and financial records.
Simply put, the versatility of USB enables juice jacking attacks.
Since we often cannot peek behind most public chargers, it’s impossible to know if there’s a malicious computer on the other side of the wall that’s waiting to establish a connection. By deploying even a single compromised USB port, an attacker can siphon data from thousands of devices over time. Luckily, juice jacking attacks are difficult to execute at scale and aren’t known to be widespread.
Still, knowing about the threat of juice jacking is important, especially as it does not end at simple data theft either. An attacker could use this attack vector to install malware on your device that remains dormant for a while. Then, it can execute in the background when you don’t expect it.
For example, the malware in question could be an app that logs your keyboard input or accesses your device’s camera and microphone in the background. These tasks may sound far fetched for a malicious app, especially as Android and iOS have become quite secure in recent years. However, even Apple hasn’t been able to stop highly advanced spyware tools like Pegasus from proliferating and infecting devices.
The term juice jacking was first coined in 2011, when security researcher Brian Markus deployed a free charging kiosk at a hacker conference to inform attendees of the potential dangers of plugging into untrusted USB ports.
How does juice jacking work?
As I alluded to in the previous section, juice jacking takes advantage of the fact that most of our electronic devices rely on USB for charging these days. This is problematic because USB is popularly used for everything from display output to file transfer. The interface can also be used to programmatically control your smartphone via Android Debug Bridge (ADB).
The idea is that when you plug your smartphone into a compromised USB port, the charging station can also simultaneously establish a data connection with your device. So despite its convenience, the versatility of modern USB standards also makes it equally useful to attackers.
Take the O.MG Elite cable as an example — a “hand made USB cable with an advanced implant hidden inside.” The cable looks normal on the surface, but it actually has a full blown Wi-Fi server built in. This allows it to download malicious code, execute it on a connected device, and exfiltrate any data back to the attacker. And when it’s done, it can self-destruct to eliminate any traces of the malicious payload. At $179.99, the O.MG cable isn’t cheap but it demonstrates the scary potential of a juice jacking attack.
How to protect your devices from juice jacking
Mishaal Rahman / Android Authority
Regardless of whether you use Android or iOS, your phone uses full device encryption in conjunction with a secure enclave on the SoC. This makes it nearly impossible for common malware to infect your device as long as you don’t unlock it. However, the real risk comes in when you input your PIN or biometrics — if your device has security vulnerabilities, plugging it into a compromised USB port could potentially infect it. Of course, it’s worth repeating that the chances of this happening are quite slim.
To harden your device against juice jacking attacks, follow as many of these practices as possible:
- Install the latest security patches: It’s tempting to skip Android version and security updates if you’re low on data, time, or storage on an older device. However, these patches are important if you care about security as they can close loopholes that could be used to attack your device. Likewise, you may want to move on from devices that become old enough to no longer receive routine security updates.
- Use a trusted USB cable: While less likely than a compromised computer on the other end, USB cables by themselves can be enough to cause harm to your device. A security researcher embedded a microcontroller within a cable to prove just that — it could emulate keyboard commands and relay malicious scripts to connected devices.
- Favor power outlets over USB ports: The easiest way to avoid falling victim to juice jacking is to never plug your device into an unknown USB port. As long as you carry your own trusted adapter (and cable), an electric plug point is all you need and carries zero risk.
- Android Lockdown mode: The Android 15 update adds a new protection measure that entirely blocks USB data signaling when you enter lockdown mode. To take advantage of this, you’ll have to manually enter lockdown mode via your device’s power menu.
- Use a privacy cable: USB ports contain several pins and only some of them are used for data signaling. So if we only care about charging, we can use a “charge-only” cable that doesn’t have any conductors connected to the USB port’s data pins. Hardware startup OSOM sells one such privacy cable but you’ll also find similar devices marketed as USB data blockers or condoms.
While the risk of your device falling victim to a juice jacking attack is fairly low, protecting yourself is fairly easy. In fact, simply keeping your device’s software up-to-date is the best course of action.