Juice jacking | How hackers target smartphones tethered to public charging points

The term “juice jacking” refers to a form of cyberattack where a public USB charging port is tampered with and infected using hardware and software changes to steal data or install malware on devices connected to it

June 30, 2023 03:32 pm | Updated 03:32 pm IST

To perform the attack, hackers infect USB ports or charging cables in public areas before the users connect to them.

To perform the attack, hackers infect USB ports or charging cables in public areas before the users connect to them. | Photo Credit: Siva Saravanan S

Juice jacking or infecting devices tethered to public charging stations has been around for some time. U.S. law enforcement agency FBI and the Federal Communications Commission (FCC) have issued warnings detailing the risks posed by such attacks. This form of attack is used to target devices being charged at USB charging stations in public spaces. In May 2023, the FBI in a tweet advised users to avoid using free charging stations in airports, hotels, or shopping centers. The warning comes as threat actors have figured out ways to inject malware into devices attached to publicly installed USB ports.

What is juice jacking?

The term “juice jacking” was first coined in 2011 by investigative journalist Brian Krebs. It is a form of cyberattack where a public USB charging port is tampered with and infected using hardware and software changes to steal data or install malware on devices connected to it. The attack is used by hackers to steal users’ passwords, credit card information, addresses, and other sensitive data stored on the targeted device.

Juice jacking attacks can take place in any public place with portable wall chargers, or public USB charging stations found in shopping malls, cafes, and hotels.

How does juice jacking work?

To perform the attack, hackers infect USB ports or charging cables in public areas before the users connect to them. Most attacks target both Android and iOS mobile devices, with older devices being particularly vulnerable due to their outdated software. USB ports have multiple pins, but only one pin is used for charging while the other pins are used for data transfers. When users connect their devices to compromised USB ports, hackers use the connection to hack into mobile devices and steal personal data or deliver malware.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

Juice jacking attacks also target laptop USB ports, which are similarly capable of transferring data.

What are the types of juice jacking attacks?

Juice-jacking attacks can vary in their impact, even though the method remains the same. The different attack forms include data theft, malware installation, disabling attack, and multi-device attack.

In a data theft attack, hackers use juice-jacking to steal data from a device. The process is typically fully automated, and hackers often use crawlers to search the mobile device for personally identifiable information. Hackers may also use malicious apps to clone a device’s data to another phone. However, cloning requires additional steps, such as a laptop as an intermediary to charge the targeted device.

In a malware attack, hackers use charging ports to install malware or viruses on connected devices, which are then used to perform ransomware, spyware, or trojan attacks.

Meanwhile, in a multi-device attack, threat actors use the connected device to spread malware to other devices it may connect to in the future.

In a disabling attack, hackers use juice jacking to lock owners out of their devices so that the user can’t access them anymore.

How common are juice jacking attacks?

While not the most prevalent attack today, authorities have repeatedly warned against the use of untrusted free charging stations in airports, hotels, and shopping centres. Contrary to government communications, a vast majority of cybersecurity experts do not believe juice jacking to be a threat unless users are a target of nation-state hackers, with no documented cases being reported in the wild, according to a report from Ars Technica.

However, the lack of documented cases does not necessarily indicate users cannot fall prey to such an attack, and caution is still advised when connecting personal devices with sensitive user information using standard cables.

How can users protect their devices against juice-jacking attacks?

Modern Android and iOS devices disable transfer capabilities when plugged into a USB charging port. Users may see a prompt asking them to “trust” the connected device. Trusting the host device enables data transfers; therefore, users should only grant access to known devices. However, this may not be foolproof as public charging stations can silently enable data transfer once a device is connected.

Users should disable the option to automatically transfer data when a charging cable is connected to the device. The option is disabled by default in iOS; however, Android users may have to disable this in the settings.

Users can also turn off their devices before connecting to an untrusted charging port. Additionally, users can use AC power outlets, carry external power banks, and consider using a charging-only cable while travelling to ensure security.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.