Juice jacking is a theoretical type of compromise of devices like smartphones and tablets that use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device or to surreptitiously copy potentially sensitive data.
Juice jacking is not possible if a device is charged via a trusted AC adapter or battery backup device, or if using a USB cable with only power wires. For USB cables with data wires, a USB data blocker (sometimes called a USB condom) can be connected between the device and the charging port to disallow a data connection.
Understanding the concept of juice jacking
Juice jacking is a security exploit in which an infected USB charging station is used to compromise devices that connect to it. The exploit takes advantage of the fact that a mobile device’s power supply passes over the same USB cable the connected device uses to sync data.
This type of attack exploits security threats at airports, shopping malls and other public places that provide free charging stations for mobile devices. While the risk of becoming the victim of a juice-jacking exploit is low, the attack vector is real and is often compared to ATM card skimming exploits from years past.
Both juice jacking and card skimming rely on the end user feeling confident that the compromised hardware is safe to use.
How juice jacking works
When you charge your phone through the USB port of your computer or laptop, this also opens up the option to move files back and forth between the two systems. That’s because a USB port is not simply a power socket. A regular USB connector has five pins, where only one is needed to charge the receiving end. Two of the others are used by default for data transfers.
Unless you have made changes in your settings, the data transfer mode is disabled by default, except on devices running older Android versions. The connection is only visible on the end that provides the power, which in the case of juice jacking is typically not the device owner. That means, anytime a user connects to a USB port for a charge, they could also be opening up a pathway to move data between devices. Hackers can use this to steal data or install malware.
Juice jacking is a hardware-focused man-in-the-middle attack. The attacker uses a USB connection to load malware directly onto the charging station or to infect a connection cable and leave it plugged in, hoping an unsuspecting person comes along and uses the “forgotten” cable.
USB ports and phone charging cables are the most common devices used in juice jacking attacks. Other less common devices may include USB ports in video arcade consoles and portable battery power banks.
Juice jacking history
Juice jacking emerged at the DEF CON hacking conference in August 2011. Conference attendees were offered free charging stations for their mobile devices. When they plugged them in, a message appeared warning them not to trust convenient but suspicious offers of free charging because the devices could be loaded with malicious code.
In response to juice jacking, Apple and Android updated their devices to warn users whenever they charge and to allow users to choose whether to trust the charging port, power bank or other charging process. If users choose the untrusted device option, their devices only charge and do not allow data transfer.
Types of juice jacking
There are two ways juice jacking could work:
Malware installation
The first type of juice-jacking attack would involve installing malware onto a user’s device through the same USB connection. If threat actors were to steal data through malware installed on a mobile device, it wouldn’t happen upon USB connection but instead take place over time. This way, hackers could gather more and varied data, such as GPS locations, purchases made, social media interactions, photos, call logs, and other ongoing processes.
There are many categories of malware that cybercriminals could install through juice jacking, including adware, cryptominers, ransomware, spyware, or Trojans. In fact, Android malware nowadays is as versatile as malware aimed at Windows systems.
While cryptominers mine a mobile phone’s CPU/GPU for cryptocurrency and drain its battery, ransomware freezes devices or encrypts files for ransom. Spyware allows for long-term monitoring and tracking of a target, and Trojans can hide in the background and serve up any number of other infections at will.
Many of today’s malware families are designed to hide from sight, so it’s possible users could be infected for a long time and not know it. Symptoms of a mobile phone infection include a quickly-draining battery life, random icons appearing on your screen of apps you didn’t download, advertisements popping up in browsers or notification centers, or an unusually large cell phone bill. But sometimes infections leave no trace at all, which means prevention is all the more important.
Data theft
In the second type of juice-jacking attack, cybercriminals could steal any and all data from mobile devices connected to charging stations through their USB ports. But no hoodie-wearing hacker is sitting behind the controls of the kiosk. So how would they get all your data from your phone to the charging station to their own servers? And if you charge for only a couple of minutes, does that save you from losing everything?
Make no mistake, data theft can be fully automated. A cybercriminal could breach an unsecured kiosk using malware, and then drop an additional payload that steals information from connected devices. Some crawlers can search your phone for personally identifiable information (PII), account credentials, and banking-related or credit card data in seconds. Many malicious apps can clone all of one phone’s data to another phone, using a Windows or Mac computer as a middleman.
So, if that’s what hiding on the other end of the USB port, a threat actor could get all they need to impersonate you.
Cybercriminals are not necessarily targeting specific, high-profile users for data theft, either—though a threat actor would be extremely happy (and lucky) to fool a potential executive or government target into using a rigged charging station. However, the chances of that happening are rather slim. Instead, hackers know that our mobile devices store a lot of PII, which can be sold on the dark web for profit or re-used in social engineering campaigns.
How to prevent juice jacking
The first and most obvious way to avoid juice jacking is to stay away from public charging stations or portable wall chargers.
Don’t let the panic of an almost-drained battery get the best of you. If going without a phone is crazy talk and a battery charge is necessary to get you through the next leg of your travels, using a good old-fashioned AC socket (plug and outlet) will do the trick. No data transfer can take place while you charge—though it may be hard to find an empty outlet.
While traveling, make sure you have the correct adapter for the various power outlet systems along your route. Note there are 15 major types of electrical outlet plugs in use today around the globe.
Other non-USB options include external batteries, wireless charging stations, and power banks, which are devices that can be charged to hold enough power for several recharges of your phone. Depending on the type and brand of power bank, they can hold between two and eight full charges.
If you still want the option to connect via USB, USB condoms are adaptors that allow the power transfer but don’t connect the data transfer pins. You can attach them to your charging cable as an “always on” protection.
Using such a USB data blocker or “juice-jack defender” as they are sometimes called will always prevent accidental data exchange when your device is plugged into another device with a USB cable. This makes it a welcome travel companion, and will only set you back US$10–$20.
Checking your phone’s USB preference settings may help, but it’s not a foolproof solution. There have been cases where data transfers took place despite the “no data transfer” setting.
Can a virus spread through a charger?
No, chargers cannot be infected by viruses. There is no CPU or operating system inside a charger. There is no memory inside the charger where the virus can be saved. Think of a charger as a battery with infinite capacity.
Nothing is stopping an attacker from putting a powerline ethernet transceiver as well as a USB-enabled microcontroller into a USB charger. This would allow them to communicate with the charger in the hope of offloading some malware onto a smartphone plugged into that port. However, such a device would need to be highly specialized and specifically designed for this purpose.
There is simply no way that powerline ethernet could just magically transmit data over the USB data lines to a smartphone.
If you are at all afraid that something like this might be happening, some products exist specifically to prevent such a scenario. For example, SyncStop prevents accidental data exchange when your device is plugged into someone else’s computer or a public charging station. SyncStop achieves this by blocking the data pins on any USB cable and allowing only power to flow through. This minimizes opportunities to steal your data or install malware on your mobile device.
You could also cut the cable open and physically disconnect the D+ and D- pins (which is effectively what SyncStop does), and that will stop all communication.
What is iOS trust jacking?
Trustjacking is a bug present in the iOS Wi-Fi sync function. Hackers exploit this bug to gain access to a device. Whether you have an iPhone, iPad, or any other iOS device, you are potentially under threat of Trustjacking. Password protection doesn’t aid in preventing this issue.
A common misconception amongst people is that Trustjacking does not operate on remote access. However, once you show complete trust on a computer for your device, whenever you connect your device, it is under threat. There is no need for the hacker and victim to be in the same place.
Recommended Articles
- CIA Triad in Cybersecurity: What Is It & Why Is It Important?
- Managed Cybersecurity Services: All You Should Know
- What is Tailgating in Cybersecurity & How to Prevent It
- Free Cybersecurity Training & Certifications
- Air Gapped Computer: What Is It & How Do You Secure One?
- 11 Best iPhone Spy Apps For 2023
References
