Charging Your Phone At An Airport Can Leave You Open For Malware Attacks

Most of us are aware of the potential dangers of public Wi-Fi connections but few of us pay much attention to how vulnerable we make ourselves and our precious smartphones simply by plugging them into a public USB port. Just how dangerous can a bit of electricity be? Well, it’s not so much the power that’s the problem, but that the charging station itself could be corrupted and used to deliver malicious infections or steal information.

While these so-called juice-jacking attacks have, to date, been largely theoretical, the Los Angeles District Attorney’s decision to warn travelers about the dangers of juice jacking has brought this latest cyber threat into the public eye. It seems it’s time we found out a little bit more about how juice jacking works, what the dangers are, and how we can protect against such threats.

It might seem a bit silly to get all excited about a potential threat of which there have not been any real cases, but we all know how fast things change when it comes to technology and cybercrime, and the best way of staying safe is by keeping one step ahead of the criminals.

What Is Juice Jacking?

The theory is that a criminal could infect a USB wire or hack into a charging station so that it works like a computer, pulling information off your device just as your laptop would, and exposing it to the possibility of a malware infection.

Just as an internet connection allows you to both send and receive data, so a charging station could be corrupted to create a two-way transfer that would enable cybercriminals to send malware to your phone or retrieve data from it.

Brian Krebs coined the phrase juice jacking eight years ago at the DefCon cybersecurity conference. Researchers at the conference built a charging station to show attendees just how dangerous public charging stations could be.

When unused, the charging station’s LCD screen displayed a message announcing “Free Cell Phone Charging Kiosk” but that changed to a warning message the minute a device was plugged in. The warning read, “You should not trust public kiosks with your smartphone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

Rather than putting people off, however, this experiment proved that many of us would rather take the risk than tolerate a dead battery. Some believed that their devices were protected because the USB transfer mode was switched off. On plugging the device in, however, it would still go straight to USB transfer mode, indicating the ineffectiveness of such a feature.

The point these cybersecurity researchers were trying to make was that hackers could get into the charging station system and install malware that then infects any device that is plugged in to that USB port. Experts say such malware could “lock the device or export data and passwords directly to the scammer”. That means they could easily get their hands on your bank account details, or even your family photographs.

Is the Juice-Jacking Threat Real?

At this stage, juice jacking is purely theoretical, although some experts believe it won’t be long before we see such attacks in the wild, so to speak.

Back in 2013, researchers at the Georgia Institute of Technology created a malicious USB charger that could “inject persistent, undetectable malware” onto iOS devices. This Mactans charger could compromise a device in under a minute, making it a serious threat.

Similarly, in 2015, another researcher by the name of Samy Kamkar created a stealthy device he named KeySweeper. Masquerading as a USB wall charger, this clever device can sniff out, decrypt and log the keystrokes from any Microsoft wireless keyboard.

Despite these theoretical developments, there are no known cases of juice jacking. The LA DA initially suggested that “There are known cases on the east coast” but when pressed for more details, were unable to deliver. According to a spokesperson for the LA DA, the warning was issued as part of “an ongoing fraud education campaign”, although this isn’t clear from the warning, nor is it specified on the DA’s website.

Perhaps a more serious and realistic threat is the development of bad USB cables. A few years ago, cybersecurity researcher, Mike Grover, revealed that it was possible to embed a USB cable with a “Wi-Fi controller that could receive commands from a nearby smartphone and then execute malicious payloads on the target PC or smartphone”.

Again, this isn’t something just anyone could accomplish as it requires some serious technical knowledge and expertise, but it’s nonetheless possible. Innovative criminals may consider loading a USB cable or phone charger with malware and then leaving it in a public place in the hopes that someone uses it, thereby activating the malicious software.

This is a simpler process than juice-jacking via a public charging system, which is usually hard-wired, wall-mounted and protected by anti-theft technology but is nonetheless both costly and random. Even the most sophisticated criminals will struggle to get a specific target to pick up and use the USB cable, making it far less effective than, for instance, skimming data via a fake Wi-Fi hotspot.

All in all, the threat of juice jacking is so tiny it’s almost non-existent and, given that there are much bigger threats out there, one wonders just how much time and brain power we should commit to juice jacking. The truth is, if there is a glimmer of possibility that you can use technology to make a buck or two, you can be sure someone will capitalize on it, therefore taking the necessary precautions to protect your mobile devices from juice-jacking threats, is something of a no-brainer.

Nomophobia and Battery Dependency

We all know that sinking feeling we get when our mobile phone battery is on its last legs and we’re about to lose that comfort blanket of connectivity. For some, this experience is so disturbing, they suffer what’s known as nomophobia. Although the definition of this emerging condition has yet to be standardized, it has been accepted by the World Health Organization, and the symptoms of nomophobia, or battery anxiety, include:

• Shaking
• Agitation
• Sweating
• Palpitations
• Disorientation
• Increased heart rate

It’s a widespread problem and statistics indicate that around 1% of the world’s population suffer symptoms when the battery life on their device drops to below 20%. Given those statistics, the likelihood of juice-jacking attacks occurring in the near future seems high.

After all, if 1% of the global population can’t live without battery power and you can provide it while simultaneously infiltrating those 75,270,000 devices with malware, you could be the next king of cybercrime.

How to Stay Safe without Going Flat

There are some precautions you can take to guard against juice jacking and some that have already been taken for you. Apple, for instance, has made a few changes to their devices so they no longer automatically connect as a hard drive when plugged in via a USB. There are also some new security patches designed to protect iOS devices from attacks like that demonstrated by the Georgia Institute of Technology researchers back in 2013.

Android smartphones now require user permission to operate as a hard drive over a USB connection.

Nevertheless, there are a few more precautions you can take to guard against juice jacking and other similar threats:

1. When using a public charging station, make sure your phone is either locked or turned off. With some devices, this can prevent a juice jacking attack altogether, although how effective it will be across the board is yet to be seen.
2. Use only the dedicated power supply cable that came with the original device and opt for a standard electricity supply as opposed to a USB charging port. This simple solution is all well and good, assuming you can find a standard electricity supply when you need one.
3. Invest in a portable battery-powered charging device or power bank and skip public charging stations altogether.
4. Use a USB Condom or no-data charge cable when plugging into an unknown power source or public charging station. These devices block the transfer of data but, in doing so, slow down the rate of charge significantly, meaning your device will take much longer to charge than normal.
5. Install antivirus software that will alert you to any suspicious activity and protect against malware infections.
6. Keep all your software up-to-date by installing updates regularly.

The Best Antivirus Got Juice

There are no complete fail-safes in the world of cybersecurity, so your best bet is to use a combination of physical safeguards, cybersecurity software, and a sprinkling of common sense. Not even the best antivirus for iPhone will be able to protect you against all the vulnerabilities associated with using a public charging station, but it will at least detect and notify you should a malware threat occur.

Antivirus tools like McAfee’s Mobile Security for iOS will also give you a secure vault facility in which you can store images, sensitive data and anything else you want to protect against data theft. Similarly, the best antivirus app for Android automatically locks any app that has access to sensitive data, like your credit card number, photos, or emails. Many will also notify you should any personal data, like your social security number, for example, be leaked into cyberspace, enabling you to respond timeously to such an identity theft risk.

While these are useful features to have and offer protection against a wide range of attacks, not only those that come sneaking up a USB cable, there is no antivirus software that’s going to offer specialized defense against juice jacking… not yet, anyway.

It does seem that the Los Angeles District Attorney’s office may have been a little over-zealous and possibly premature in their juice jacking warning but there’s no denying that, when it comes to malware, prevention is much better than cure. Although they’ve been criticized for what some are calling an inadequate fraud alert, the advice the LA DA is offering is sound.

The juice jacking threat may not be here today, but there’s every possibility it’s just around the corner so putting effective safeguards in place and adjusting your charging habits now will prepare you for that eventuality.

Conclusion

Although we have yet to see the first malware infection or data theft incident from a USB charging point, it could just be a matter of time and you don’t want to be the first victim.

Since the Los Angeles DA office warned travelers to avoid using phone charging stations in public places like hotels and airports, juice jacking has shot from the depths of obscure cybersecurity research straight into the headlines. Fortunately, those in the know are already on the ball and the latest smartphones already come with security features designed to reduce the risk of juice jacking.

That’s not to say the protection is complete, however, and smartphone users on the go should take some extra precautions. Whether that’s using a portable power bank, relying solely on standard electrical supplies, or using a USB condom, is up to you, although avoiding public charging stations altogether is clearly the best approach.

If you suffer from nomophobia, however, and you left your power bank at home and have no other option than to plug into a charging station, you might just have to take your chances. Just bear in mind that the risk is there and that the best antivirus software can give you at least some level of protection against the possibility of malware infections and data theft.

When it comes to jacking up your devices against the threat of juice jacking, there’s no time like the present, so go get some antivirus protection and get to grips with USB condoms before the cybercriminals get to grips with your data.