Juice jacking attacks can lead to theft of your personal information and to malware infections. This blog post explains what juice jacking is and how to prevent it from happening to you.
Have you ever been out and about with your phone and desperately needed a charge because you forgot the charger at home? Probably. We've all been there. And stumbled across a public charging station and plugged your phone into one of its USB ports? Maybe. Many of us have. But did you know that you could have been the victim of a juice jacking attack when you did so? Probably not.
We tend to associate charging with electricity rather than data. But when you plug your phone into a USB port, it can technically transfer both power and data. And if it can transfer data, it can do things like exfiltrate your personal information and download compromised downloads with malware to your device.
This blog post explains what juice jacking is, how it works, and what you can do to avoid it.
The beginnings of juice jacking
Brian Krebs coined the term "juice jacking" in 2011 after he managed to demonstrate practical application of an attack on DEFCON. When users plugged their phones into a free (and compromised) charging station at a public kiosk, a message appeared on the kiosk's screen:
"Do not trust public kiosks. Information may be downloaded or retrieved without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!"
And that message illustrates the core of juice jacking. Through juice jacking, an actor can inject malicious code directly into malicious USB chargers (or the cable connected to the USB port), which is transferred to the mobile phone. This typically happens at public charging stations, which you can find in airports, shopping malls and coffee shops, among others.
Once your phone is plugged in and charging, the hacker can download your files and information or monitor your keystrokes on the device. They can also infect your phone by uploading a virus or malware to it, leading to all sorts of bad situations.
How does juice jacking work?
When you connect your phone to your computer via USB, it is typically mounted as an external drive and you can access and copy files to and from your phone. This is because, as mentioned above, your typical USB port is not just a power outlet, but also a data channel.
A typical USB port consists of five "pins", only one of which is used for charging. Two others are used for data transfer, and the remaining two are used as a connected device's presence indicator and ground, respectively.
Normally, the phone's operating system disables the data transfer options as soon as the phone is connected. You may have seen a prompt on your phone asking you to "trust" the computer you are connected to. Trusting the host computer enables data transfers. If you choose not to trust the host machine or ignore the prompt, data transfers will not be possible - unless you connect your phone to an infected public charging station
Infected USB ports, which can be called a "malicious charger", can silently activate data transfer modes on your phone when it is plugged in. You will not be prompted and you will have no indication that this is happening. Once you have unplugged your phone, you may have had your personal information stolen and your phone may well be infected with a virus or malware.
Types of juice jacking attacks
There are different types of juice jacking attacks.
We touched on this type of exploit above. One of the common goals of juice jacking attacks is to steal unsuspecting users' personal information. The actual theft of data will typically be fully automated and will happen very quickly. And given how intimate we are with our phones today, this can lead to compromised credit cards, bank accounts, email, health records, etc.
Once the hacker restores data transfer capabilities, it can flow either way. This means they will be able to upload malware or a virus to your phone. Once infected, your phone will be susceptible to all the damage associated with malware/virus infections: loss of data, loss of functionality, random network connections, slow performance, installation of malicious viruses, etc.
Attacks on multiple devices
A multi-device juice jacking attack is essentially the same as the malware/virus infection attack, in that the hacker infects your device with malware. The only difference is that the malware that was loaded on your phone is designed to infect the other USB charginglocation of the charging station. This scales up the attack and allows the hacker to compromise multiple devices simultaneously, increasing their exploit.
In a disabling attack, all phones are, well... disabled. Once a mobile is connected to the infected charging port, the hacker will load malware onto the phone, effectively disabling it for the legitimate user, while the hacker himself retains full control of the device. The same damage as above follows a disabling juice jacking attack with the added bonus that it can potentially be used as part of a DDoS attack.
Where are you most vulnerable to juice jacking attacks?
Anywhere there is a public USB charging station, there is a risk of falling victim to a juice jack attack. But the public places where these attacks are most prevalent are airports. And there are a few reasons why.
First, to maximise the return on their investment, hackers need a lot of potential targets. Airports are big transit areas, and so they're perfect for this kind of attack. Airports are also one of the places where many will feel it is crucial to have their mobile phone well charged, maximising the chances that they would connect their device to malicious chargers.
Add to this the fact that airports are often stressful and time-pressured environments, which tend to encourage quick decisions - such as ignoring good advice and plugging your phone into a public charging point.
That said, all public charging stations are a safety hazard.
Which devices are vulnerable to juice jacking attacks?
Most juice jacking attacks end up happening on mobile phones. But that doesn't mean mobile phones are more vulnerable to juice jacking attacks than other devices. This is simply because they are the most used mobile device and therefore the device most likely to need a charge on the move.
But any device that charges via USB is vulnerable. That means mobile phones and tablets, but also smartwatches, fitness bands and even laptops (if they support USB charging - and many do).
How to engage in juice jacking
Avoid public charging stations
The first and most foolproof way to avoid juice jacking attacks is simply not to use public chargers. If your phone runs out of power, bite the bullet and stay phone-less until you can charge it safely. It can be annoying, but you're guaranteed success with this method!
Enable and use your device's software security measures
Mobile devices come with some technical protections against juice jacking and other security threats. If you must use a public charging station, use your phone's security features:
Disable your device's ability to automatically transfer data when a charging cable is plugged in. This is standard on an iOS device and part of Apple's existing security mechanisms. Android users should disable this option in the "Settings" app.
Lock your device when it is connected to the charging cradle. This prevents it from being able to sync or transfer your phone's data.
If your device displays a prompt asking you to "trust this computer", it means you have connected another device, not just a power outlet. Reject the permission, as trusting the computer will enable data transfers to and from your device. This last point may not be foolproof, but it's still better than actively allowing data transfers.
Turn off your phone before charging it. However, many mobile phones turn on automatically when they are plugged in. If your mobile phone does not switch on automatically when it is plugged in, this is an effective protection.
Use a power outlet, USB battery or backup battery
Instead of having no plan B and having to use a charging station, unleash your inner MacGyver and have a backup.
- Carry a spare charger and cable with you, and find an outlet to charge your device if necessary.
- Carry a USB battery with you. These are cheap, readily available, and many of them can recharge your device multiple times.
- Carry a backup battery. If your device has a removable battery, simply replace it with a fully charged one when needed.
All of the above options are better than using public charging stations and will prevent you from falling victim to a juice-jack attack.
Use a USB passthrough device
USB passthrough devices are small devices that look like a USB flash drive. You insert your USB cable into the passthrough device and it prevents data from being transmitted over that cable. It does this by disabling the data pins in the USB cable.
USB passthrough devices are agreat way to protect yourself from attack. They are cheap, work well and are readily available in electronics stores (mainly online).
Alternatively, you can use a USB charging cable that only allows charging, which blocks potential data transfers by either disabling or not including the data transfer pins in the USB connector. These cables provide the same protection as USB passthrough devices.
Although juice jacking is not a particularly prevalent threat today, the number of occurrences can only grow and normalize the very real security risk as our smartphone addiction culture evolves. Hopefully this blog post has helped you better understand and reduce the risk of juice jacking and, with any luck, avoid it altogether.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.