Most people associate a cyber-attack with things like phishing, exploitation of software vulnerabilities, RDP hacks, and sketchy websites hosting malicious code. This isn’t a misconception, but black hats have plenty of lesser-known tactics up their sleeve.
Would you expect a digital ambush when charging your smartphone via a USB power station in a public place? If the answer is “No,” then you are a potential target of juice jacking, a form of compromise that entails data theft through a hacked charging port. Even though the term sounds like fun, the concept behind it is a growingly serious issue for individuals and businesses.
Let’s take a dive into this phenomenon to understand how it works and whether it’s something to worry about.
Juice jacking 101
To execute a juice jacking attack, malicious actors take control of USB charging gear in airports, hotels, shopping malls, and other public spaces visited by numerous people, including business travelers. This hack becomes a launchpad for repurposing your charging session so that it serves as a channel of unauthorized data transfer.
If you take a close look at a standard USB connector, it has a total of four or five pins. Only one or two of them are required to charge the device and the rest are used for transferring information. You may have also noticed that when you connect your mobile gadget to a laptop or desktop computer via a USB port to charge it, the device that supplies the power will display a dialog offering you to move data back and forth. Whereas file transfer is typically disabled by default, a criminal who has access to the USB power station can enable it surreptitiously.
The attacker’s motivation is to steal numerous people’s data or to deposit malware onto devices. A particularly intricate scenario involves the use of a spyware app that mirrors the screen of the smartphone or tablet plugged into a hijacked USB port. This way, the hacker can remotely record passwords and PINs as they are being entered during the charging session.
This type of exploitation bears a resemblance to credit card skimming in a way, where crooks pilfer the details of debit and credit card inserted into ATMs. The similarity is that a malefactor exploits a real device in a public place – a cash machine or a charging station – by attaching a malicious component or by remotely enabling dodgy features.
Juice jacking poses a particularly high risk to businesses, and here is why. If an employee connects their company-issued smartphone to a hacked USB power station, perpetrators may get hold of proprietary information such as login credentials and corporate secrets. This data can be a source of industrial espionage, spear-phishing attacks, business email compromise (BEC) scams, and network-wide malware onslaughts.
How juice jacking splashed onto the scene
This attack vector was originally demonstrated by ethical hackers as a proof of concept. In 2011, a group of researchers from the Aires Security firm created a booby-trapped charging kiosk and installed it at the Wall of Sheep village, which is part of the Defcon event held annually in Las Vegas. On a side note, the Wall of Sheep is kind of a public embarrassment zone at the hacking conference where attendees with poor digital hygiene are shamed for their indiscretion. Although the kiosk would display a warning message every time someone plugged their mobile device into it, more than 360 people did it without a second thought in three and a half days.
Should you be concerned?
Even though security analysts don’t consider juice jacking a mainstream peril at this point, authorities have already given users a heads-up regarding the potential risks. An example is an alert issued by the Los Angeles County District Attorney’s Office in November 2019. The officials advised travelers against using public USB power charging stations as a countermeasure for malware attacks during the holiday season.
One of the reasons why juice jacking isn’t being flagged as a common threat so far is that there haven’t been any documented real-world cases and nobody has been caught red-handed yet. However, the threat isn’t as far-fetched as it may appear, with a few unverified incidents having been reported in the U.S. east coast area.
Two flavors of juice jacking
Juice jacking is a two-pronged threat. Based on the hackers’ tactics, experts single out the following sources of these attacks:
Public charging stations. When you connect your smartphone to a weaponized USB charging station, a remote attacker enables the data transfer mode and thereby retrieves your sensitive information or installs mobile malware behind your back.
Booby-trapped accessories. In this case, a charging device previously modified by criminals becomes an instrument for eavesdropping or malware injection. White hats have shown how this works. Back in 2013, enthusiasts from the Georgia Institute of Technology created a rogue charger they called Mactans, which allowed a hacker to infect a connected iOS gadget with harmful code.
Two years later, a researcher named Samy Kamkar masterminded a malicious Arduino-based device disguised as a regular USB wall charger. It allows a hacker to steal keystrokes from a wireless keyboard plugged into it.
What is the manufacturers’ response?
Tech giants such as Microsoft and Apple are aware of these vulnerabilities and try to address them. For instance, if you own a mobile device running iOS 11.4.1 and later, you will need to unlock it whenever it’s plugged into a USB accessory otherwise your gadget won’t communicate with that peripheral object. These efforts are certainly commendable, but staying on top of all the possible exploits is easier said than done.
Ways to keep your company’s devices safe
As previously mentioned, businesses are the “juiciest” targets of these incursions. By stealing employees’ login credentials, criminals can gain a foothold in the enterprise IT infrastructure and perpetrate effective scams or poison the network with malicious programs such as ransomware or crypto miners. To top it off, any illegally obtained business-critical information may be sold to a competitor.
Obviously, companies need to proactively defend themselves against this menace. Here are some best-practice tips to safeguard your organization against juice jacking attacks:
- Let your employees know about the threat
Be sure to complement the security awareness training for personnel with up-to-date information about juice jacking. Instruct your team members to refrain from plugging USB cables into public ports and emphasize the importance of using virtual private network (VPN) tools whenever they go online as an extra layer of protection against data theft.
In situations where charging a mobile device in a public place is a necessity, here are several worthwhile precautions:
- Use USB accessories from trusted manufacturers only.
- Abstain from using free USB charging cables that come with promo bundle kits, because they might be riddled with malware.
- Never use cables someone left connected to public USB charging kiosks.
- Decline data transfer requests that appear when you start a charging session.
- Provide employees with power banks
This one is self-explanatory. If you don’t want your staff to use potentially hijacked charging stations, company-issued power banks are a decent alternative that should do the trick. This way, your employees can charge on the go and keep their devices safe.
- Enforce the use of USB condoms
No matter how “naughty” it sounds, a USB condom is an effective way to stop any juice jacking attack in its tracks. It serves as a protective shield between your charging cable and a USB port in a public place. Essentially, it keeps the charging function active while blocking data from being transferred in either direction via the cable.
- Use charging-only cables rather than data cables
It doesn’t take a rocket scientist to understand why a power-only USB cable eliminates the risk altogether. It only engages the connector’s pin (or pins) required for charging and disengages the ones intended for data transfer – as simple as that.
- Use the “good old” AC socket where possible
Charging your smartphone via a traditional AC power outlet makes a juice jacking attack impossible. One of the caveats is that it may not be easy to find a spare socket. Furthermore, business travelers should keep in mind that there are quite a few different types of power outlets around the world. If you know your route, make sure you carry the right adapter with you.
The bottom line
Here’s some good news: juice jacking isn’t a widespread threat so far and isn’t as likely to be encountered in the wild as phishing or ransomware raids. However, researchers have shown the practicability of such exploitation and cybercriminals can definitely do the same. Given the ubiquity of mobile devices and the fact that people increasingly depend on them, the issue might escalate anytime soon.
Real-world hackers are constantly expanding their repertoire, and if there is a hype train, they won’t miss it. With that said, you should think twice before plugging your smartphone into a public USB charging station. Also, make sure your family, friends, and colleagues know what juice jacking is and how to stay on the safe side.
David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.