What is juice jacking? Think twice before using public USB ports
Published: August 07, 2018 4 min read
Juice jacking may pose a risk at public USB charging stations. Learn how juice jacking works and how to protect your devices.
If you're stuck somewhere with a dying smartphone battery, you may not think twice about plugging in at the nearest USB charging station.
Not so fast. Warnings of juice jacking may cause to you to reconsider.
It could be that someone has loaded malware on the USB port or the USB cable attached to one of these public charging stations. While your phone is charging, the perpetrator might be able to infect your device with a virus or malware that could track your keystrokes or even steal your data. That’s juice jacking.
Juice jacking does not yet appear to be widespread threat, but it’s still a good idea to understand your risks and alternatives before giving your battery a boost at public charging stations like those at airports or hotels.
How juice jacking works
Whether you have an iPhone, BlackBerry, or an Android device, smartphones have one thing in common: The power supply and the data stream pass through the same cable.
This could spell trouble. When your phone connects to another device, it pairs to that device and establishes a trusted relationship. That means the devices can share information. So during the charging process, the USB cord opens a pathway into your device that a cybercriminal may be able to exploit.
On most phones, the data transfer is disabled by default (except on devices running older Android versions), and the connection is only visible on the end that provides the power.
For instance, when you plug your phone into your computer, a message on the computer may ask whether to trust the device.
In the case of juice jacking, the device owner won't see what the USB port connects to. So when you plug in the phone, if someone's checking on the other end, they may be able to move data between your device and theirs.
Risks to your devices and data from juice jacking
Here are the two risks to consider.
When a device is plugged into the public USB port, a cybercriminal could have compromised that port and enabled malware to infect your plugged-in device. This could potentially allow someone to steal the data on your mobile device.
Using a crawler program on your device, a cybercriminal could then search for personally identifiable information, account credentials, and financial information.
If the perpetrator can transfer that data onto their device, it might be enough personal information to impersonate you or access your financial accounts.
Cybercriminals may use a malware app to clone your phone data and transfer it back to their own device. Other malware may help them gather data such as your GPS location, purchases, social media interactions, photos, and call logs.
Some types of malware include adware, cryptominers, spyware, Trojans, or ransomware. Once your device is frozen or encrypted with one of these types of malware, the cyber-thief may demand payment to restore the information.
History of juice jacking
The term juice jacking was first coined in 2011 after researchers created a compromised charging kiosk to bring awareness to the problem. When people plugged in their phones, they received a security warning and learned their phones had paired to the kiosk.
In another proof-of-concept example highlighting the risk of juice jacking, security experts at the 2013 Black Hat security conference presented a malicious USB wall charger, called Mactans, that could deploy malware on iOS devices.
More recently, the Los Angeles County District Attorney’s Office published an advisory in November 2019 that warned travelers about USB charger scams, or juice jacking.
But while juice jacking is a real security threat, thus far there has been little evidence that it has become a widespread problem. Apple and Google have also added safety features to iOS and Android operating systems to help prevent juice jacking.
How to help protect yourself against juice jacking
These tips can help you keep your smart devices safe.
Avoid public charging stations or portable wall chargers
What’s one way to avoid public charging stations? Plan ahead. It’s a good idea to get in the habit of charging your phone at work, in the car, or at home, when you’re not using it.
If you must charge your phone, use a wall outlet
Data can't transfer between your device at a regular AC wall outlet. So if you're in public and desperately need a charge, consider using a wall socket. And if you're traveling, make sure you have the correct adaptor before heading out on your trip.
Use software security measures
Always lock your phone so it can't pair with a connected device. You can also power down the phone before charging it, but the USB port may still connect to the flash storage in the device. If your iOS device is jailbroken, you can disable pairing entirely.
Choose a different method to charge your phone
Options can include external batteries, wireless charging stations, or power banks — devices you can charge at home and power your device on the go. Power banks are typically small, flat, and lightweight enough to take with you.
Use USB pass-through devices
These adapters allow power to flow through but disable the data pin on the USB charger. That means the device charges, but data won't transfer.
Your best defense against juice jacking is understanding the risks. Keep your device charged at all times, tote a backup power bank, enable any security features on your device provided by the manufacturer, and consider using a USB pass-through device.
Cyber threats have evolved, and so have we.
Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.
Norton empowers people and families around the world to feel safer in their digital lives
Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc.