KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.
On April 6, 2023, the FBI’s Denver office issued a warning about juice jacking in a tweet.
“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver office warned. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
Five days later, the Federal Communications Commission (FCC) issued a similar warning. “Think twice before using public charging stations,” the FCC tweeted. “Hackers could be waiting to gain access to your personal information by installing malware and monitoring software to your devices. This scam is referred to as juice jacking.”
The FCC tweet also provided a link to the agency’s awareness page on juice jacking, which was originally published in advance of the Thanksgiving Holiday in 2019 but was updated in 2021 and then again shortly after the FBI’s tweet was picked up by the news media. The alerts were so broadly and breathlessly covered in the press that a mention of juice jacking even made it into this week’s Late Late Show with James Corden.
The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default.
Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place.
On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks.
Probably the best known example is the OMG cable, a $180 hacking device made for professional penetration testers that looks more or less like an Apple or generic USB charging cable. But inside the OMG cable is a tiny memory chip and a Wi-Fi transmitter that creates a Wi-Fi hotspot, to which the attacker can remotely connect using a smartphone app and run commands on the device.
Brian Markus is co-founder of Aries Security, and one of the researchers who originally showcased the threat from juice jacking at the 2011 DEFCON. Markus said he isn’t aware of any public accounts of juice jacking kiosks being found in the wild, and said he’s unsure what prompted the recent FBI alert.
But Markus said juice jacking is still a risk because it is far easier and cheaper these days for would-be attackers to source and build the necessary equipment.
“Since then, the technology and components have become much smaller and very easy to build, which puts this in the hands of less sophisticated threat actors,” Markus said. “Also, you can now buy all this stuff over the counter. I think the risk is possibly higher now than it was a decade ago, because a much larger population of people can now pull this off easily.”
How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023.
“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”
What can you do to avoid juice jacking? Bring your own gear. A general rule of thumb in security is that if an adversary has physical access to your device, you can no longer trust the security or integrity of that device. This also goes for things that plug into your devices.
Juice jacking isn’t possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present. If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in.
One thing to note: Most smartphones will power on when plugged in, because the charger circuit in the phone requires power itself. You can turn the phone off after it starts charging, but how much damage can be done in those few seconds? And what if you don’t notice that the phone has powered on? So I would suggest skipping the advice to power it off, and only use your own power sources.
I can’t imagine that is a realistic risk vector. The charging circuit may be powered, but the OS isn’t booted up and the storage would still be encrypted.
When you plug the phone in the entire phone boots up, not just the charging circuit. AFTER it has started and connected to the network you can shut it down, and only the charger stays powered, as I said. If you remember to shut it down.
This is incorrect. At least for my mobile devices. They do NOT entirely boot up, when plugged in. I’m currently using a Samsung Galaxy S7 tablet and a Google Pixel 5 phone. Furthermore, I have never owned a mobile device that booted up when plugged in in the OFF stage.
I believe current iphones will in fact power on and boot up
if initial power state when plugged in is below the minimum.
(Red empty battery icon, cannot boot until charged x%)
When it reaches minimum charge it will boot to lock screen.
I don’t think it does that if you start charging above the minimum.
Well, sure enough you can find “power only” cables. But what I have seen missing from this whole noise about Juice Jacking is the use of USB condoms.
Are there issues with the condoms I’m not aware of ?
I don’t believe there are any issues with USB data blockers (the ‘condoms’ you mentioned), as long as you source them from a credible vendor. I couldn’t tell you which vendors, but i’m pretty sure the “10-pack for $5” variety on Amazon are, at best, made with inferior materials that stand a chance to do more harm than good.
Good thing I saved my Juice-Jack Defender.
Not sure about “most smartphones,” but any recent generations of Samsung phones that are powered off do not boot up when plugged in. They only go into a state that’s powered up enough to allow the charging system to function. In that state, no data is accessible through the USB port. Of course if the phone is already booted when plugged, or if the user physically pushes the right combination of buttons to put it into a recovery state, that’s a different story.
But most people don’t want to power off their phone to charge it at public charging locations, as they probably want to use the phone while it’s charging. The best advice when using such public charging stations is to use your own AC adapter and/or a USB cable that only has the power lines connected (the data lines are disconnected).
I have some of the USB batteries that you can charge and then use to charge your cell phone. They were giving them away at a meeting I went to last year and they gave me a couple handfuls of them.
Since I’m not a big cell phone user, I haven’t actually needed to use them — a charge is usually enough for a week for me.
95% of phone charging at airports takes place on airport provided charging ports run by third party I think. You want to juice Jack then Jack the provider networks.
c’mon, Prof Brian… !?Snopes?! surely you jest…why give mention/credence to a tturd? asks this ‘ol mechanic& your faithful reader from your days bygone at WaPo. cheers
My first thought too. Snopes has little credibility in general. Anyone who has read up its history would understand why. Mr. Krebs should revise the article. Mentioning Snopes is a bad look for his reputation.
The only real complaints I hear about Snopes come from political extremist (from both sides). I get it, if Snopes finds something you have come to believe it not true, THEY must be wrong. I’m not saying there might be occasional instances where there conclusions can be questioned, but how is that different from any source available?
Can you provide any reference on Snopes doesn’t have credibility anymore?
I looked online a bit and found a couple interesting things:
1. I found a negative article about it on Daily Mail from 2016 and a Forbes article about the Daily Mail article.
Because the Daily Mail is not the most trustworthy source of news and it doesn’t appear that anyone in the last 6 years or so since the article came out have verified anything said in the Daily Mail article, so it doesn’t seem like there is much truth to what the Daily Mail said.
2. I read that one of the founders of the site David P. Mikkelson got caught plagiarizing material from News Sources in some articles.
While this can hurt the site a bit, I don’t think it affected the quality of their fact checking so I don’t think it’s a major credibility problem though not a good look for the site.
3. There was a legal issue between David and another shareholder in 2017 over shares and stuff that was resolved in 2022 when David stepped down as CEO in 2022 and the other shareholder then became the owner of Snopes.
Because David is no longer running Snopes, this also resolves the plagiarizing concern as he is not there anymore.
So in short, it appears the only real problems are ones listed in 2016 article from a source that isn’t the most trustworthy.
So I don’t see any issue with Krebs referencing them at the moment.
If you have any more information regarding their credibility, I would be interested in checked that out too.
Gentlemen, you all should cite your sources for this alleged lack of credibility. Snopes cites their sources, and if none of you can, I would say your collective credibility is far below that of Snopes.
Google is a good place to start. Snopes spent its last bit of credibility when it decided to go all-in with the Steel Dossier horse feathers and Russia Hoax of the 2016 election. The controllers of Snopes are wildly partisan hacks that even a cursory bing search (if you hate google) would reveal… and not the “conservative rags” people dismiss as incorrect because of their own bias.
As a clarification, Snopes did finally come clean, but their bias is evident, just like the biases of most sites on the internet. They are funded by a large ad revenue generating entity.
I don’t think its the presence or absence of sources, but rather the clear left leaning judgement it exercises in determining truthyness. Those in the right can see this plainly.
That’s a good point! Extremists don’t like to have to cite their sources because: 1) They don’t have any; or 2) it’s all the same one link/source.
The only people who discredit Snopes are MAGA types and QAnon followers that don’t like to see their pet conspiracy theories debunked. They’ve made up their minds, and don’t want to be confused by facts.
Unfortunately, reality has a definite liberal bias.
I have been using “USB data blockers” (aka “USB condoms”) in public USB charging stations since DEF CON 19 (2011). Data blockers were a standard item in FBI forensics toolkits long before that.
Brian,
Like the Intel ME mobile phones are not “off” unless the power is actually removed.
I could waste a lot of column inches explaing the whys of this with smart phones but one point people should realise,
Few if any consumer or comnercial hardware “clears memory” on power down. Which means data in core memory can be available quite some time after power is removed.
Few if any “apps” including those for security handle “Roots of Trust” like encryption keys properly. Thus the chances are many “roots of trust” are vulnerable even with having the phone supposadly turned off.
BK: “Juice jacking isn’t possible if a device is charged via a trusted AC adapter, battery backup device”
Easier said than done. How do we have any assurance to the supply chain security of the cables and chargers sold online, or handed out by security vendors whose marketing departments presumably chose the lowest cost source for branded swag?
When this first came out years ago, I purchased a couple of USB condoms, I think the brand was PortaPow? I used them fairly regularly while travelling for work. They are a regular part of my travel electronics go bag. Now I carry a multi port wall charger as well. That covers most situations.
Your smart phone doesn’t have to be powered on, to have it’s contents copied. Anyone with a decent computer and some time will tell you. if you can power on part of a “system”, apple,are the other flavors out there, “what” can be planted there? And that listens to the basic power of the “smartphone”. To start with, hidden letters, the smart drops, oh, yeah phone cords, USB cables, miniaturized components…remember some fruit company using only an advisary country’s cables with self identifying cables, what else was there?? And what other companies joined in…
“Your smart phone doesn’t have to be powered on, to have it’s contents copied.”
I have a decent computer and some time, so how about a source for that claim?
Also which phones are you referring to?
This makes me laugh:
“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”
Snopes may be reporting the government’s statements without question, however I know for a fact the government doesn’t do anything that doesn’t benefit the government, meaning the bureaucrats in government. Something happened, someone bureaucrat got some virus or other malware on their phone and blamed it on an airport charging station. They were probably browsing porn on it when it got the infection and the charging station had nothing to do with it, however said person was likely a high-level official and insisted it was the truth, so someone had to make good on their BS. Typical.
Very interesting take.
Maybe I’m just being cynical, but I live it. I have to take this crap from these frat-test-bank-graduates all the time.
Thank you Brian for this reminder of another current threat on this internet highway.
I would not have learned of it today, rather than painfully later, without your story.
Some of the commenters here remind me of those ever confident, all-knowing, dudes in their “high rise” 4×4 pick-ups, who impatiently race past me on a flooded road, with full “angel wing spray” on both sides, to then suddenly disappear beneath the calm waters.
Uh oh.
Thank you impatient dude for identifying the hidden washed out road bed ahead, and much good luck on your new submarine adventures…We’ll miss you…
I have a dumb question…
My phone offers a few modes (and a default mode) when plugged into another device for charging. One of those modes is ‘charge only’. In that mode, from a layman’s view, it doesn’t appear to communicate with the computer you attached it to. It doesn’t show up as a mountable volume or anything like that. You (obviously) can’t USB tether when it is in this mode. That sort of stuff.
So, would using ‘charge only’ mode prevent this? It seems likely, but then again…
It would prevent some of it. Threat actors come in all flavors.
I note with interest that none of the commenters above appear to have actually encountered juice-jacking in the wild. The issues presented seem to be theoretical — at least, for now.
I find it interesting that none of the aforementioned commentators seem to have really seen juice-jacking in the wild. The issues presented seem to be theoretical — at least, for now.
And given that airlines and hotels have made a big push to provide USB power (facilitated by the electrical device manufacturers like Leviton, etc.) – are they going to ensure that their jacks aren’t juiced (or whatever the appropriate term would be)?
Somehow I don’t see the housekeeping staff at Marriott doing regular sweeps every day of the USB jacks.
While it doesn’t appear to have been used “in the wild”, how many people would actually be able to prove where they got infected?
That sort of makes the “that we know of” statements logical.
It is also pointed out in some sources that actual manufactured “juice jacking” devices are commercially available for penetration testing & the cost of the materials to DIY is very low. That only makes it more likely that it will be a problem.
The problem with “condoms” & “charge only cables” is that manufacturers in their infinite wisdom now use the data lines to communicate for quicker charging methods of various types so the condoms & cables cause your charging to revert to the slowest method.
To me it seems that the best way to ensure fast charging & ensure data safety is to charge a Battery Pack & only charge your device from the Battery Pack.
It would be interesting to check if simultaneously charging the Battery Pack while it charges your device is acceptable & safe.
Unless the power pack is substantially built out to the point of being able to be compromised by malware, which would be (mostly) silly IMO (but not impossible in some units *perhaps*), there’s no vector to compromise “through” the battery itself. But a purpose-built “bad battery” masquerading as a trusted vendor’s unit could easily do something evil.