FBI Issues Warning About ‘Juice Jacking’ at Public USB Charging Stations

smartphone public charging station

The FBI’s Denver office is cautioning consumers about using free public charging stations, saying bad actors can use the USB ports at the juice stops to introduce malware and monitoring software onto devices.

“Carry your own charger and USB cord and use an electrical outlet instead,” the agency recommended in a recent tweet.

“Juice jacking” has been around for a decade, although no one knows how widespread the practice has become.

“There’s been a lot of talk about it being in the public, but not a lot caught in the public,” observed Brian Markus, CEO of Aries Security, a security research and education company in Wilmington, Del. Markus, and colleague Robert Rowley first demonstrated juice jacking in 2012.

“Juice jacking chargers are like ATM skimmers,” Markus told TechNewsWorld. “You hear a lot about them but don’t necessarily see them.”

He explained that someone who wants to tamper with a legitimate power charging station could change the station’s cable to a doctored cable, which contains the chip that can install a Remote Access Trojan, or backdoor, on a phone. Then the phone can be attacked at any point in time over the internet.

“It’s especially prevalent with Android phones running older versions of the operating system,” Markus said. “That’s why it’s important for users to keep their devices updated.”

Divergent Opinions

There seem to be conflicting opinions in the security community about how significant a threat juice jacking is to consumers.

“It’s not very common in general because using a remote charging facility is not something people do very often,” observed Bud Broomhead, CEO of Viakoo, a developer of cyber and physical security software solutions in Mountain View, Calif.

“However, if someone is a user of a charging system outside of their control, the warning issued by the FBI should cause them to change their behavior, as cases are on the rise,” he told TechNewsWorld.

Aviram Jenik, president of Apona Security, a source code security company in Roseville, Calif., maintained that juice jacking is “extremely common.”

“We don’t have numbers because the devices tend to be in places where people don’t stay long, so it’s easy to place a rogue device and then take it back,” he told TechNewsWorld.

“It’s been done for years now, and the appearance of malware-infected charging stations is almost regular,” he added.

“As charging becomes more and more sophisticated — meaning, data travels on the same cables that carry a charge — this will get worse,” he said. “When the target is of higher value — for example, an EV versus a mobile phone — the stakes will be higher.”

Jenik added that another future development would be wireless charging, which would allow attackers to perform an attack without anyone seeing the physical device used for the breach.

Two-Way Comm Problem

Juice jacking is probably more likely to occur in areas frequented by persons of interest — politicians or intelligence agency workers, asserted Andrew Barratt, managing principal for solutions and investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.

“For a juice jacking attack to be effective, it would have to deliver a very sophisticated payload that can bypass common phone security measures,” he told TechNewsWorld.

“Frankly,” he continued, “I’d be more worried about the outlets being so heavily used that they’ll damage my cord or the socket on the phone.”

Juice jacking exploits USB technology for malicious purposes. “The problem is that USB ports allow two-way communication, not just for power charging, but also data transmission. It’s how your USB device can send pictures and other data when you plug it in,” explained Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.

“The USB port was never designed to prevent advanced malicious commands sent over the data channel,” he told TechNewsWorld. “There have been many security improvements to the USB port over the years, but there are still additional avenues of attack, and most USB-enabled devices allow the charging port to declare itself an old version of the USB port standard, so some of the newer protection features are no longer available.”

Will EVs Be Next?

J.T. Keating, senior vice president of strategic initiatives at Zimperium, a provider of mobile security solutions in Dallas, cautioned consumers to be wary of free solutions billing themselves as “public” services.

“When hackers trick people into using their fake Wi-Fi networks and power stations, they can compromise devices, install malware and spyware and steal data,” he told TechNewsWorld.

“This trend will continue and evolve as more and more people connect to EV charging stations for their electric vehicles,” he continued. “By compromising an EV charging station, attackers can cause havoc by stealing payment information or by doing a variation of ransomware by disabling the stations and preventing charging.”

Coalfire’s Barratt noted that EV charging stations have been a concern for a while, but the issues have been stealing charges or getting free use of the stations.

“Longer term,” he said, “I suspect there is a concern that we will continue to see more attacks against these chargers as the world transitions to EV chargers.”

“When we had public payphones, there were attacks against them,” he continued. “There are attacks regularly against ATMs and gas pumps. Anything where value is dispensable in an unattended environment, there is a payoff potential for a cyber-enabled thief to leverage.”

Avoid Becoming a Victim of Juice Jacking

Since Markus and Rowley introduced the world to juice jacking, conditions have improved for attackers. Wireless connectivity has been added to charging ports, for example.

“When we first did this, we had an entire laptop hidden in the charging station, and it was doing a lot of work,” Markus noted. “The amount of compute power to do the same thing now is significantly less.”

The FBI isn’t the only alphabet agency to sound the alarm about juice jacking. The FCC, in the past, has also warned consumers about the practice. To avoid becoming a victim of juice jackers, it recommends:

  • Avoid using a USB charging station. Use an AC power outlet instead.
  • When traveling, bring your own AC, car chargers, and USB cables.
  • Carry a portable charger or external battery.
  • Consider carrying a charging-only cable, which prevents data from sending or receiving while charging, from a trusted supplier.
John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels