Harried traveler beware: those dangling chords from a free charge kiosk at an airport or other public area that seem like a lifesaver could actually be a bed of serpents, authorities warn.
“Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices,” the FBI’s Denver field office recently tweeted. “Carry your own charger and USB cord and use an electrical outlet instead.”
The phenomena known as “juice jacking” is not new, nor was the FBI the first agency to try to put out the word.
“Be aware that juicing up your electronic device at free USB port charging stations … could have unfortunate consequences. You could become a victim of ‘juice jacking,’ a new cyber-theft tactic,” the Federal Communications Commission warned in an October 2021 bulletin.
The trick is that the design of smartphones uses the same port for charging as it does for data transfer — as shown when you plug your phone into your computer for a charge and a notice pops up on the desktop asking if you want to transfer files.
“That means, anytime a user connects to a USB port for a charge, they could also be opening up a pathway to move data between devices—a capability threat actors could abuse to steal data or install malware,” explains antivirus software vendor Malwarebytes Labs in a 2019 post.
Thankfully, Malwarebytes says the threat doesn’t seem to show up in the wild often — at least not at the time of the company’s posting. But the concept was proven at DEF CON, the hacker convention held annually in Las Vegas, in 2011 by the group Wall of Sheep.
Wall of Sheep wrote in a post on their demonstration that the vulnerability is the phone’s USB port and the exposure is a user’s awareness of the possible attack. “When these two factors come together, the unsuspecting user plugs their phone into a malicious system, the attack is able to take place.”
Thankfully, the group writes, “there is no reason to presume the kiosks filling airports and other public places are inherently malicious. It is important for the public to know that the threat exists, which is why it’s a concern and a defense should be put in place.”
Leave a Reply