The Los Angeles County District Attorney’s Office stirred up some cybersecurity discussion this past week by issuing a warning about “juice jacking,” or the possibility of public USB charging stations being used to skim data and deliver malware payloads.
While there are a number of theoretical attacks of this nature that make sense on paper, extremely few have actually been observed in the wild. “Juice jacking” attacks have been more the province of presentations at cybersecurity conferences to date, leading some security professionals to wonder why the LA DA’s office felt the need to issue this particular warning. In response, the DA’s office cited some unspecified cases pending in East Coast cities.
Regardless of the present likelihood of encountering these attacks in public, they make for interesting food for thought as it is very possible to execute them and many of them require a relatively low level of sophistication. Potential threats include loading malware to connected devices, copying the contents of the flash memory storage or logging credentials and keypresses while connected.
The state of juice jacking
The concept of “juice jacking” has been around since at least 2011, when a proof of concept was demonstrated at the annual DEF CON security conference in Las Vegas. The public USB charging stations invited attendees to charge their phones, and then flashed a warning about data capture when anyone plugged electronic devices into it (and also earned them a place on the conference’s infamous “Wall of Sheep”). An updated version at the 2016 conference would project the victim’s device screen onto a large public display.
More theoretical attacks and proof of concepts have been developed and presented at conferences since then. A project called Mactans included instructions for building a malicious wall charger able to surreptitiously exploit Apple iOS devices, for example, and a project called KeySweeper embedded a passive sniffer able to record Microsoft wireless keyboard data. The juice jacking concept also enjoyed a flare-up of public attention in 2015 when an episode of popular crime drama CSI portrayed public USB charging stations stealing credit card information from unsuspecting users.
The attack type has mostly remained in the world of the theoretical, however. The LA DA’s office admits that they have not seen any actual cases of this happening in their jurisdiction, and it’s extremely difficult to find any reports of this actually happening in any public area.
Juice jacking is not the most appealing attack type due to several inherent limitations. Most public charging systems are wall-mounted and/or hard-wired, as well as possibly having anti-theft tamper resistance measures, making it difficult for a criminal to modify them. Deployment of a bogus charging kiosk at a public power outlet is a possibility, but unless the criminal screws it into a wall or surface they run the risk of a less-sophisticated criminal coming along and simply pocketing it.
Additionally, most modern devices have on-by-default security measures that would thwart juice jacking attempts. For example, Android and Apple devices manufactured in the past few years usually require users to manually approve data transfer privileges every time the device is connected to USB ports.
Criminals looking to skim data in public would have an easier time and likely get more mileage by deploying a “honeypot” WiFi hotspot. These devices are highly portable, can be powered with a battery and easily concealed in a public place. Given the relative ease and high success rate of these attacks, one can see why criminals rarely bother with hardware-based attacks on USB charging stations.
Is it safe to use public USB charging stations?
There is no evidence at present that there is any kind of a rash of attacks on public USB charging stations, or even any novel exploits of this nature. While appropriate precautions should be taken, such as ensuring that devices not set to automatically share data when connected to a charging port, most hard-wired and wall- or fixture-mounted USB charging stations are probably safe to use.
Unfortunately, technology and science reporting in mainstream newspapers and magazines tends to get carried away with intriguing-sounding official announcements such as these and doesn’t necessarily do the most rigorous job of fact-checking (as a number of security researchers have pointed out in recent days). Nevertheless, there are some realistic phone charging attack possibilities that should be accounted for.
For example, a more realistic threat type is a USB cable or phone charger strategically left in public as if forgotten. This is a variant on “found” USB devices loaded with malware that deploys when plugged into a device; microcontrollers are now small enough that they can be embedded into a cable. This attack type is likely too costly for someone to deploy at random, but might be used in a highly targeted situation.
If you’re still concerned about being on the receiving end of a juice jacking attack, you can always stick to AC power outlets and possibly pack out an extra battery or two. A personal AC-to-USB converter is of course an option that will provide a free charge anywhere a power outlet is available, and it is possible to purchase batteries that can be charged separately via their own USB-connected mount for some devices. A portable solar-powered USB charger is also an outside-the-box alternative to public USB charging stations if you plan to be outside for extended periods.
“USB condoms” and a special type of no-data charge cable are also a security option if you really need to use public USB charging stations, but be aware that these devices will usually charge much more slowly than usual if they block the data channels (which are also used to conduct power while charging). These devices also tend to only be available for USB 2 connections; it may be difficult to find one made for USB 3.