Using public USB charging stations at airports, railway stations, or shopping malls to charge mobile phones could expose people to juice jacking- a form of hacking that involves hackers lacing charging stations with malware to hijack devices, steal user data, or lock devices using ransomware.
Recently, Los Angeles County's District Attorney's Office issued an advisory for travellers, asking them to avoid using public USB power charging stations in airports, hotels and other locations as such charging stations may contain dangerous malware.
"Travelers should avoid using public USB power charging stations in airports, hotels and other locations because they may contain dangerous malware.
"In the USB Charger Scam, often called “juice jacking,” criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users. The malware may lock the device or export data and passwords directly to the scammer," the advisory read.
Cyber criminals can steal data stored in your device through juice jacking
Satnam Narang, senior research engineer at Tenable, told TEISS that juice jacking is a method to transfer malware planted in public USB ports at charging stations onto devices, which can linger even after the device is no longer in contact with the charging station.
"This is because the cable used to charge mobile devices is also a driver that can be used to transfer and sync data. The malware can then be used to access personal and corporate information stored on devices of unassuming users," he added.
In a recent blog post on the menace of juice jacking, Malwarebytes Labs noted that even though the technique is not being used on a large scale by hackers, travellers during the holiday season should still exercise caution and avoid using public USB charging stations or pluggable USB wall chargers in airports and hotels.
The firm said that out of five pins in a regular USB connector, only one is needed to charge the receiving end while two others are used by default for data transfers. Mobile devices running older versions of Android don't have data transfer disabled by default and if these devices are connected to USB connectors, a pathway to move data between devices is created and can be abused by hackers.
Hackers can then carry out juice jacking either by stealing data from mobile devices connected to compromised public USB charging stations or by transferring malware from these stations to connected mobile devices.
"A cybercriminal could breach an unsecured kiosk using malware, then drop an additional payload that steals information from connected devices. There are crawlers that can search your phone for personally identifiable information (PII), account credentials, banking-related or credit card data in seconds.
"There are also many malicious apps that can clone all of one phone’s data to another phone, using a Windows or Mac computer as a middleman. So, if that’s what hiding on the other end of the USB port, a threat actor could get all they need to impersonate you," the firm said.
It added that cyber criminals can also inject a variety of malware into mobile devices from USB charging stations, such as cryptominers to mine a mobile phone’s CPU/GPU for cryptocurrency and drain its battery, ransomware to freeze devices and encrypt files, spyware for long-term monitoring and tracking of a target, and trojans to serve other forms of malware.
How can travellers avoid juice jacking tactics by cyber criminals?
Travellers can avoid becoming victims of juice jacking by either using a good old-fashioned AC socket (plug and outlet) that don't have a provision for data transfers, or by using external batteries, wireless charging stations, and power banks which can keep their mobile phones alive for as long as they are travelling.
They can also use "USB condoms" that allow power transfers from USB charging stations to mobile phones but don’t connect the data transfer pins, thereby preventing hackers from injecting malware into devices that allow data transfers by default. These devices are also known as USB data blockers or "juice-jack defenders" and cost very little.
"A simple solution to this problem is to refrain from charging mobile devices in public areas. Only charge your mobile devices using cables and chargers that belong to you," said Narang.