SkipToMainContent

Mobile

What is juice jacking? Think twice before using public USB ports

If you're stuck somewhere with a dying smartphone battery, you may not think twice about plugging in at the nearest USB charging station.

Not so fast. Warnings of juice jacking may cause to you to reconsider.

It could be that someone has loaded malware on the USB port or the USB cable attached to one of these public charging stations. While your phone is charging, the perpetrator might be able to infect your device with a virus or malware that could track your keystrokes or even steal your data. That’s juice jacking.

Juice jacking does not yet appear to be widespread threat, but it’s still a good idea to understand your risks and alternatives before giving your battery a boost at public charging stations like those at airports or hotels.

How juice jacking works

Whether you have an iPhone, BlackBerry, or an Android device, smartphones have one thing in common: The power supply and the data stream pass through the same cable.

This could spell trouble. When your phone connects to another device, it pairs to that device and establishes a trusted relationship. That means the devices can share information. So during the charging process, the USB cord opens a pathway into your device that a cybercriminal may be able to exploit.

On most phones, the data transfer is disabled by default (except on devices running older Android versions), and the connection is only visible on the end that provides the power.

For instance, when you plug your phone into your computer, a message on the computer may ask whether to trust the device.

In the case of juice jacking, the device owner won't see what the USB port connects to. So when you plug in the phone, if someone's checking on the other end, they may be able to move data between your device and theirs.

Risks to your devices and data from juice jacking

Here are the two risks to consider.

Data theft

When a device is plugged into the public USB port, a cybercriminal could have compromised that port and enabled malware to infect your plugged-in device. This could potentially allow someone to steal the data on your mobile device.

Using a crawler program on your device, a cybercriminal could then search for personally identifiable information, account credentials, and financial information.

If the perpetrator can transfer that data onto their device, it might be enough personal information to impersonate you or access your financial accounts.

Malware installation

Cybercriminals may use a malware app to clone your phone data and transfer it back to their own device. Other malware may help them gather data such as your GPS location, purchases, social media interactions, photos, and call logs.

Some types of malware include adware, cryptominers, spyware, Trojans, or ransomware. Once your device is frozen or encrypted with one of these types of malware, the cyber-thief may demand payment to restore the information.

History of juice jacking

The term juice jacking was first coined in 2011 after researchers created a compromised charging kiosk to bring awareness to the problem. When people plugged in their phones, they received a security warning and learned their phones had paired to the kiosk.

In another proof-of-concept example highlighting the risk of juice jacking, security experts at the 2013 Black Hat security conference presented a malicious USB wall charger, called Mactans, that could deploy malware on iOS devices.

More recently, the Los Angeles County District Attorney’s Office published an advisory in November 2019 that warned travelers about USB charger scams, or juice jacking.

But while juice jacking is a real security threat, thus far there has been little evidence that it has become a widespread problem. Apple and Google have also added safety features to iOS and Android operating systems to help prevent juice jacking.

How to help protect yourself against juice jacking

These tips can help you keep your smart devices safe.

Avoid public charging stations or portable wall chargers

What’s one way to avoid public charging stations? Plan ahead. It’s a good idea to get in the habit of charging your phone at work, in the car, or at home, when you’re not using it.

If you must charge your phone, use a wall outlet

Data can't transfer between your device at a regular AC wall outlet. So if you're in public and desperately need a charge, consider using a wall socket. And if you're traveling, make sure you have the correct adaptor before heading out on your trip.

Use software security measures

Always lock your phone so it can't pair with a connected device. You can also power down the phone before charging it, but the USB port may still connect to the flash storage in the device. If your iOS device is jailbroken, you can disable pairing entirely.

Choose a different method to charge your phone

Options can include external batteries, wireless charging stations, or power banks — devices you can charge at home and power your device on the go. Power banks are typically small, flat, and lightweight enough to take with you.

Use USB pass-through devices

These adapters allow power to flow through but disable the data pin on the USB charger. That means the device charges, but data won't transfer.

Bottom line

Your best defense against juice jacking is understanding the risks. Keep your device charged at all times, tote a backup power bank, enable any security features on your device provided by the manufacturer, and consider using a USB pass-through device.

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.


Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.