What is juice jacking and should I avoid public phone chargers?

Juice jacking is a USB-based exploit that takes advantage of public charging ports to launch an attack. You can avoid the threat by keeping your devices charged, using special data blocking cables, and other measures.

Your phone battery is low again and you are miles away from the charger at home. There is a public charging kiosk or maybe a USB charging port right at the airport terminal counter you are sitting at. But is it safe to charge your phone with a public port?

What exactly is juice theft?

Juicing is in the news every few years, as was the case recently when the FBI warned people about the risk—and you may be wondering what exactly it is and if you should worry about it.

Whether you have an iPhone or an Android phone, both devices have something in common. The power supply and the data flow pass through the same cable. It doesn’t seem like a big problem at first glance, but it creates a unique attack vector for a malicious user to access your phone during the charging process using hardware or software vulnerabilities.

This attack method is known as “juice jacking,” a term coined by security journalist Brian Krebs while writing about the concept in 2011 after seeing a demo of the exploit on a compromised charging kiosk at the Defcon security conference.

Since 2011, security researchers have installed a new compromised kiosk at every subsequent Defcon security conference to demonstrate known vulnerabilities and raise public awareness of juice theft.

Over the years, there have been multiple exploits identified that target USB-based charging and fall under the umbrella of juicing attacks. In 2012, security researcher Kyle Osborn demonstrated a juice-stealing attack that could attack an unlocked and connected phone, stealing data, including Google authentication keys.

A year later, in 2013, Georgia Tech graduate students demonstrated a proof-of-concept attack that could hijack an iOS device via a USB charging cable: the attack was undetectable by iOS and gave attackers full access. to device.

In 2014, researchers demonstrating the BadUSB attack highlighted how infecting an Android phone to serve as a BadUSB payload to access the user’s personal computer or corporate network later was a plausible attack vector.

In 2016, another proof-of-concept attack was presented at Defcon that allowed the person controlling the compromised loader to monitor the screen of iOS and Android devices via a screen mirroring exploit. So, while he was charging his phone at the compromised station, the attacker could see everything he was doing as if he was looking over his shoulder.

An even more concerning exploit was unveiled in 2018 by Symantec researchers. The exploit they discovered started with stealing juice, but it persisted even after you disconnected from the compromised loader. They named the attack vector “TrustJacking” because it exploited the handshake between an iOS device and iTunes, allowing the malicious actor to maintain a connection to the iOS device over Wi-Fi even after the device was disconnected.

Should you worry about juice theft?

We’re certainly not alarmists here at How-To Geek, and we always explain it to you directly. Currently, juice theft is a theoretical threat, with no reported attacks in the wild. Security researchers discover an exploit, and manufacturers patch it, rinse it, and iterate.

The chances are very low that the USB charging ports at your local airport kiosk are actually a covert front for a computer that mines data and injects malware. However, this doesn’t mean you should just shrug your shoulders and quickly forget about the very real security risk of connecting your smartphone or tablet to an unknown device.

Years ago, when the Firefox Firesheep extension was the talk of the town in security circles, it was precisely the largely theoretical but still very real threat of a simple browser extension that allowed users to hijack user sessions from the web service from other users on the premises. Wi-Fi node that led to significant changes.

End users began to take the security of their browsing session more seriously (using techniques such as tunneling through their home Internet connections or connecting to remote VPNs), and major Internet companies made major security changes (such as encrypting the entire browser session and not just the login).

Precisely in this way, making users aware of the threat of juice theft decreases the possibility of people being kidnapped and increases the pressure on companies to improve security practices.

So our take on the matter? The worst time to learn of an exploit is after you’ve been hit by the exploit. And the best way to avoid being targeted by an exploit is to engage in best practices that minimize your risk. Juice theft may not be as widespread a problem (and easy to implement) as text message bank fraud scams are, but that doesn’t mean you should discount the potential risk entirely.

How to avoid juice theft attacks

The best way to avoid ending up on the losing end of a juice-stealing attempt is to use a few simple practices to ensure your phone never has “naked” interaction with a public charging station.

First, let’s look at some best practices that prevent exposure to unsafe ports in the first place, and then some tips to avoid problems when using a charging station or port.

Keep your phone up to date

Before I share any other tips, the best phone security tip when it comes to data theft (and just about every other smartphone security issue out there) is to keep your phone up to date.

As we mentioned above, juicing feats are a real thing, but there are no reports of them being successfully implemented in the wild. When security researchers reveal the exploit, it is patched. You won’t get the exploit patches if you don’t update your phone.

Keep your device battery charged

The easiest precaution is to keep your mobile device charged. Make it a habit to charge your phone at home and office when you’re not actively using it or sitting at your desk working.

The fewer times you find yourself looking at a red 3% battery bar when traveling or out and about, the better. Use the battery management tips for your iPhone or Android device to extend your time between charges.

Take a charger with you

Phone chargers are so small and light that they barely weigh more than the USB cable they plug into, and advances in charger technology mean you’re not sacrificing charging speed and power by going small. Gallium Nitride (GaN) chargers are small but powerful, you can add a 30W charger to your work or travel bag and not even feel it.

So put a charger in there to charge your own phone and keep tabs on the data port. (And if you’re still using an old USB charger from a phone you replaced a long time ago, it’s definitely time to upgrade.)

Bring a portable charger

Not many devices have user-swappable batteries these days, so if you want to keep using your device without relying on charging ports at the airport (or can’t find a good place to plug in your personal charger) you’ll need a portable charger. .

Something cheap and compact like the Anker 313 Power Bank should do the trick. With 10,000 mAh of battery life, it will fully charge your average smartphone 2-3 times before running out of power. That’s more than enough juice to play on your phone at the airport and on the flight itself.

Use a power-only cord or adapter

Ideally, you should never physically tether your phone to a device that you don’t have full control over. But if you’re using a charging port on a device you don’t control, a good stopgap measure is to use a USB cable or adapter that breaks data connections, leaving only charging connections available.

Data-blocking USB adapters, also informally called “USB condoms,” are the most convenient way to go because you can use any of your existing cables with them, and they’ll stop any data connection between your phone and the compromised charging port. .

One of the best known companies in the niche market is PortaPow. They have a USB-A to USB-A adapter, a USB-A to USB-C adapter, and a USB-C to USB-C adapter. Since most public charging ports are still USB-A, you’ll want to purchase a USB-A to USB-A or C adapter depending on your needs.

It’s worth noting that there’s a major downside to using a power-only cable or adapter. USB fast charging standards use the data connection to identify the device and negotiate a charging fee. No date? No negotiation, and the default charging rate is basic USB speed. It’s better than nothing, but it will probably be slower than you’re used to if you normally use a fast charger at home.

Lock or turn off your phone

Don’t use your phone while it’s charging if you want to play it safer with a public charging port. Keep your phone locked, or better yet, turn it off.

It’s much better to avoid using an unknown port altogether, but if you do, keeping the phone locked or turned off helps prevent simple vulnerabilities that respond if you accept a connection (or a software vulnerability that’s only available if the phone is on). unlocked or on). in).

Use wireless charging

If your phone supports wireless charging and you’re in a place with neatly integrated wireless charging pads on the counter or armrests, you’re in luck.

Wireless charging is inherently data-free, and there’s absolutely no risk involved in dropping your phone on a wireless charging logo on a Starbucks table at the airport.

Ultimately, the best defense against a compromised mobile device is awareness. Keep your device charged, enable security features provided by the operating system (knowing that they are not foolproof and all security systems can be exploited), and avoid connecting your phone to unknown charging stations and computers just as wisely Avoid opening attachments from unknown senders.