Juice jacking leads to loss of privacy, security, and anonymity of potentially sensitive data on the infected device. Depending on the type of malware used, lots of other damage can be caused, including DDoS attacks, hijacking attacks, and phishing attacks. The main method of juice jacking is pairing. Pairing is when mobile device owners establish a trusted connection with a laptop or any other device for communication or charging.
Battery problems are rampant in mobile devices such as smartphones, tablets, and smartwatches. In this guide, readers will learn about a cyberattack technique known as juice jacking. First, the mechanisms of juice jacking will be covered, after which some of the most common questions regarding juice jacking will be answered. By the end of this guide, readers should understand what juice jacking is, the situations in which juice jacking is more likely to happen and the steps mobile device owners can take to stay safe from juice jacking. Juice jacking is simply a lesser-known (and poorly documented) form of new cyberattack that infects and steals information from mobile devices when the target device is charging. Juice jacking is essentially hackers infecting the target device with malware via the USB charging port.
How does Juice Jacking Work?
Juice jacking works by exploiting the connection that a smartphone device forms with the USB charging point. For example, when waiting at an airport with a low battery, most users will quickly find a charging spot which mostly come in the form of USB charging kiosks and plug their smartphone in without a second thought. However, hackers can modify charging points to install malware to devices via the USB port without notification or consent.
Juice jacking is a threat to all types of mobile devices whether the operating system on those devices is iOS, Android, or BlackBerry as all these devices currently use some form of cable power supply. Any time a smartphone device tries to connect to another device, the first device has to first pair with the second device and then form a trusted connection. This is also the reason why, for example, on iOS, any time the user connects the iOS device with another one (or a power outlet) the iOS pushes a notification asking the user whether or not to trust the new device. In any case, once the trusted connection is established, the two devices are free to transfer data. The situation is fairly similar in the charging process. The USB cable connected to the device that needs charging must first open a communication channel. Hackers can then exploit that channel to install malware.
Fortunately, mobile device companies noticed this vulnerability a long time ago and have since disabled default data transfer facilities on most smartphone devices. Users of older smartphones should check the Settings menu to ensure automatic data transfer is disabled.
With the data transfer option disabled, the entity providing the power can see only the established connection. However, if the charging USB port is hacked, once the user connects to the port, the hacker behind the USB port can transfer data between the device that needs charging and the charger port without any notification.
What Hardware is Used for Juice Jacking?
Generally, the hardware used for juice jacking is a compromised charging port available in a public space. Hackers usually have such hacked charging ports installed at public places such as coffee shops, airports, railway stations, bus stations, or even markets where charging kiosks are constantly available. Essentially, any place that frequently offers a USB adapter to the public for charging smartphone devices can be used for juice jacking. Sometimes hackers install specifically designed hardware to carry out juice jacking activities.
Can you get a Virus from a Phone Charger?
Yes, mobile device owners can get viruses from phone chargers that have been compromised. For this reason, mobile device owners should avoid public USB charging cables and only use official cables where possible.
Phone chargers, like other IT devices, come with built-in installed firmware because of which phone chargers can form a line of communication with another device when connected. Hackers use different tools to infect such phone chargers and corrupt the firmware used to form the communication channel. Hackers then load malware into phone charger stations available to the public.
Are Public USB Ports Vulnerable to Juice Jacking?
Yes, public USB ports are vulnerable to juice jacking for the simple reason that hackers prefer these kinds of places for hacking. People are always traveling and running low on battery life while traveling. And once a mobile owner is low on battery, a free USB port charging station at the airport/coffee shop/bus station is the first thing the owner is looking to plug the mobile device into. Hackers know this and exploit the situation by loading malware on public USB ports available at various airport gates, hotels, and crowded places.
What are the Types of Juice Jacking?
The types of juice jacking are given below:
- Data Theft
- Malware Installation
- Multi-device Attack
- Disabling Attack
1. Data Theft
A data theft juice jacking attack is a type of attack which happens during the charging phase. As the device is charging, hackers steal data from the target device.
The harms of data theft juice jacking attacks include loss of privacy, online identity, sensitive information, health records, credit card information, etc. After hackers gain control of the data, there are a hundred different types of cyber-attacks that hackers can launch to not only hurt the victim but other users as well.
Readers should consider the fact that not every phone charger or data cable is safe to connect to. Hackers are now also able to develop malicious apps that can be transferred to a target device via a juice jacking attack. Once on the target device, such apps can transfer all the important data on the target device to another device controlled by the hacker.
Pro Tip:To prevent data theft attacks users should avoid using public USB charging kiosks. If there is no other choice, check to make sure that the charging cable does not have any data transfer pins and only contains charging pins.
2. Malware Installation
The malware installation juice jacking attack is another type of attack that involves the hacker using a public USB charging kiosk to install malware onto the connected device.
Malware installation juice jacking attacks work in a similar way to other types of juice jacking attacks. Once the user connects the device to the compromised public charging port and establishes a connection, the charging port drops the malware onto the device.
Warning:There are many potential harms that malware installation can lead to, including data loss, device loss, installation of other malware, slowdown of the device, etc.
Readers should consider the fact that once the malware is dropped onto the device, the malware (or the hacker) is under no obligation to actively harm the device. In other words, the malware can just lodge itself on the connected device and not do anything harmful until new instructions are sent via the hacker HQ. Sometimes, the malware present on the system may only spy on the user activities and surreptitiously send data back to hacker HQ until the device’s owner uses a third-party application to find the malware and then removes the malware via a scanning tool. This means users may be completely unaware their device is running with malware installed.
The method to prevent malware installation juice jacking attacks remains the same as before. Users should avoid using public charging ports as much as possible, but where it is unavoidable, check for the presence of data transfer pins on the charging device. Another way to prevent malware installation juice jacking attacks is to always carry an original charging cable.
3. Multi-device Attack
The multi-device juice jacking attack is a type of attack that involves the usual juice jacking techniques such as infecting a power adapter, a USB charging port, and USB cables with malware so that when a user connects to either the power adapter, the charging port, or the cable, the malware gets on the system and harms the device. Multi-device juice jacking attacks infect ports and cables nearby to compromise multiple devices at a given time.
The main unique harm of multi-device attacks is the propagation of juice jacking attacks. Hackers do not have to make an effort to individually compromise a given public charging kiosk. And that’s because multi-device juice jacking attacks lead to more devices being harmed at the same time without any extra effort. The harms following such a situation include more data loss, identity loss, more spyware on unsuspecting mobile device users, and more devices acting as malware carriers.
Note:Readers should keep in mind that charging from a public kiosk is not only a risk for one device but for all the devices that are in the vicinity and any other place the user charges the compromised device. Another aspect to consider is the fact that charging from a compromised public kiosk could turn the user’s device into a malware propagator. Once the user connects the compromised device to a clean charging cable or USB port that port or cable could also get infected.
Again, the ways to prevent multi-device attacks are to avoid public charging kiosks and to carry an official charger at all times. More specifically, if a device owner has used a public charging kiosk in an emergency (assuming the owner realizes the mistake and the potential risk) situation then the same device should not be used on any other public or private charging port before cleaning the device of any malware.
4. Disabling Attack
In a disabling juice jacking attack, the device is disabled via the charging port, preventing the user from accessing the device. Under full control of the hacker, the device can be used to carry out any type of malicious activity and any data on the device is completely compromised.
The harms of a disabling attack mainly include loss of access to and potentially permanent loss of all data on the device. Also included are all the harms of a simple juice jacking attack, such as loss of online identity, compromised financial information, the infected device being used in a DDoS attack or to carry out other types of attack or to impersonate the owner of the device.
Readers should know that juice jacking attacks do not always carry out malicious activity hidden from the owner of the compromised device. Depending on the objectives of the hackers, the compromised device may be completely locked out. Then hackers are free to use the device however they require and transfer as much or as little data as desired.
To prevent disabling juice jacking attacks users should again avoid public charging facilities and carry their original charging cables.
Where is Juice Jacking Used Most?
The place juice jacking is used most is the airport. To maximize return on investment, hackers need lots of potential targets close to one another. Hence, juice jacking airport USB charging kiosks make logical sense. Airports receive the most number of potential targets on any given day and the chances of someone at an airport running out of phone battery are greater. The chances of a person ignoring good security advice and using a public charging port are also greater since the environment at an airport is often stressful and time pressured.
What Devices are Vulnerable to Juice Jacking?
The most common devices vulnerable to juice jacking are the ones that rely on USB charging ports such as smartphones, tablets, and/or smartwatches. More specifically, iPhones, Android phones and devices, and Windows tablets.
What are the Countermeasures to Juice Jacking?
The best countermeasures to juice jacking are given below:
- Avoid Public Charging Stations or Portable Wall Chargers
- If You must Charge Your Phone, Use a Wall Outlet
- Use Software Security Measures
- Use USB Pass-through Devices
1. Avoid Public Charging Stations or Portable Wall Chargers
The best way to stay safe from juice jacking is to avoid public charging stations or portable wall chargers completely. Occasionally, everyone gets into a situation where the smartphone battery is nearly empty though. If possible, the safest thing to do is to manage without a phone until you can charge it safely with your cable. Alternatively, carrying a power bank with your official cable avoids the need to use public charging facilities. Avoid using power banks which belong to other people.
Power banks should only be used if purchased from a reputable store. Just like public charging ports and charging cables, power banks can be hacked and used for juice jacking as well.
That means smartphone users running the risk of low battery life should carry a power bank on their person.
Power banks are exponentially safer than public charging ports and, best of all, the smartphone owner doesn’t need to run around looking for a charging port.
Pro Tip:Another option is to carry an extra battery, however, this is not an option on many smartphones. Even on phones where it is possible, it may be daunting for some users to partially dismantle the phone. For such users, there are advanced external battery cases available at various retail stores that bypass the need to take out the battery to make use of another one. Such external battery cases attach with the smartphone device and kick into action automatically once the battery is low enough.
Apart from power banks, users can also try wireless charging stations which may be safer than public charger ports, though charging via wireless charging stations does still carry some of its own risks.
2. If You must Charge Your Phone, Use a Wall Outlet
Users who must charge the phone running out of battery may also find a wall outlet. The primary reason why smartphone owners should do that is to stay safe from problems such as juice jacking and other malicious attacks.
Using a wall outlet to charge a smartphone would mean the user would have to bring their AC adapter and charging cables. This usually minimizes any risk of a juice jacking attack. Users can also make use of a wireless charger that takes out the need for a charging cable at a public charging kiosk.
Pro Tip:When traveling, especially abroad, it is important to carry power outlet adapters as there are over 15 types of electric outlets being used in different countries. Researching the type of power outlets/ the type of adapters required is advisable before travelling.
3. Use Software Security Measures
There are many software security measures users can take to stay safe from juice jacking. Disabling the option to transfer data automatically via charging cable is the most effective software security measure that can be taken to prevent juice jacking.
Another software security measure is to lock the phone while charging is taking place. The vast majority of smartphone devices on the market today do not try to sync or transfer data if the phone is locked.
The third way to avoid juice jacking attacks via software security measures is to disable the option for automatic connection to another device via a charging cable (including a charging port). Devices running the iOS operating system come with this feature enabled by default. Android users will have to make sure to turn this option on via the Settings menu.
Smartphone devices are often designed to push a notification, for example, ‘Trust this Computer” the moment the user connects the device with another device or a charging port. Once the user sees the notification where another device is requesting access to data on the device, the user can simply deny the permission. Users can also enable the option to require the smartphone device’s passcode before enabling a connection for charging and other purposes.
4. Use USB Pass-through Devices
Using USB passthrough devices is yet another method to stay safe from malicious USB cables and charging ports. Readers should keep in mind that even if the charging cable is clean, connecting the cable to a malicious charging port will still allow hackers to perform a successful juice jacking attack.
For this reason, developers have come up with USB Pass-through devices. By using USB pass-through devices, users can both avoid juice jacking attacks and, secondly, avoid relying on power banks or external battery cases.
Note:USB pass-through devices act as a security buffer between the public charging station’s USB port and the user’s USB charging cable. Sometimes USB pass-through devices are called data blockers and at other times simply USB condoms.
As previously mentioned, users can also invest in a USB cable that is power only. Using the proper configuration pins, there are USB charging cables available on the market that only allow charging when connected. Keep in mind that all the USB charging cables that come with the devices allow not only charging but also data transfer.
USB pass-through devices or USB condoms block pretty much all the pins which are present at the male end of a given USB charging cable. The only pin that the USB condom does not block is the power transfer cable.
What is the History of Juice Jacking?
Juice jacking is a relatively new type of cyber attack that became common around August of 2011. Security researchers developed malicious USB charging kiosks (as proof of concept) and presented the workings of malicious charging ports to a researcher conference.
Researchers requested the attendees to charge smartphone devices via the malicious USB charging kiosks for free. As soon as an attendee connected the smartphone device to a charging kiosk, the device popped up a notification telling the user of a successful pairing operation with the malicious charging kiosk.
Two years later (in 2013) at another security conference, researchers managed to again highlight the security risks that techniques such as juice jacking presented. In a particular Black Hat conference, security researchers presented a full-functioning malicious USB charger. Researchers called the device Mactans. Mactans, after establishing a connection with an iOS device during the charging process, could inject malware directly into the device. After malware landed on the target device, researchers were free to move forward and carry out various types of malicious activities.
Six years later in 2019, the threat from various juice jacking techniques had grown to a level that the office of the Los Angeles County District Attorney had to put out a notification warning to the public about juice jacking and how juice jacking could harm devices.
Because of such warnings and demonstrations by researchers at various security conferences around the world, security risks such as juice jacking started to gain traction. Afterward, both the Android and iOS operating systems got updated to not establish a connection automatically with a charging station but instead ask for permission. Not only that, mobile devices running on the iOS and Android operating systems pushed out security warning notifications and required users to ‘trust’ the connection (either with charging ports or USB connections with another device for charging purposes) before charging could take place.
If there was a risk of juice jacking, users could simply select the option to not trust the new connection. Once that option was selected, the device (iOS and Android) would establish a charging connection with the port or the power bank but at the same time would also disable the data transfer channel.
Some of the most important people and organizations in relation to juice jacking include the NSA that started to give out juice jacking warnings to government employees as early as 2012. The popular TV series CSI: Cyber also tried to bring more attention to problems such as juice jacking in 2015 by dedicating an entire episode to the juice jacking phenomena. Some magazines such as Android Hackers Handbook also discussed juice jacking in 2014.
In 2012 Kyle Osborn showed a new type of juice jacking attack via a framework known as P2P-ADB. Such a framework was shown to be capable of spreading from one device over another via a USB OTG connection.
In terms of reporting, one of the first reporters to highlight the issue of juice jacking in the mainstream media was Brian Krebs via the Krebs on Security website. Krebs had watched the first conference (Wall of Sheep DefCon) in 2011 and decided to write a piece on the subject the same year.
Just like any other cyberattack, juice jacking has also evolved. As previously mentioned, it is no longer the case that juice jacking can only be performed via malicious charging ports. USB cables can also be programmed to launch juice jacking attacks upon connection. In this respect, an important personality is a researcher named _MG_ (a username) who was the first person to release a modified USB cable labeled O.MG Cable.
The O.MG cable, visually speaking, did not look any different from a USB charging cable that one would find from any given computer hardware shop, however, the O.MG cable had a microcontroller embedded inside. Penetration testers (and hackers) could use such a cable to inject malware into any connected device (via the O.MG cable) via remote commands using nothing but WiFi.
Another important year in the history of juice jacking was 2018 when Symantec (a cybersecurity firm) published research on juice jacking which showed that once a user-approved and ‘trusted’ a USB connection, the approval could also be used to access iTunes API via WiFi which allowed hackers to access the device even when the device is unplugged from the malicious USB charger.
Over the years many researchers have made important contributions to establish a concrete understanding of juice jacking attacks, how the attack may further evolve and how security professionals should respond to an evolving threat such as juice jacking.
In 2016, researchers at Wall of Sheep (a cybersecurity website) and Aries Security showed how malicious USB charging stations could not only steal data and inject malware into the connected device but also record what was shown on-screen via a technique called Video Jacking.
In 2014, Jakob Lell and Karsten Nohl (both security researchers) did a study on the BadUSB vulnerability. The study showed that techniques such as juice jacking were the simplest methods to infect devices during the charging phase. Similarly, in 2013 Georgia Tech graduates released Mactans, a tool that could infect even the latest version of iOS at the time during the charging process.
What are the Other Threats like Juice Jacking?
Other threats like juice jacking are given below:
- Malware (including spyware, ransomware, worms, viruses, and crypto miners)
- Emotet (mostly refers to Trojans that infect banking transactions)
- DDoS (Distributed Denial of Service) attacks (including DoS attacks)
- SQL (Structured Query Language) Injection attacks
- Phishing attacks (including malicious email messages, SMS messages, and links)
- Password attacks (including social engineering, guessing, hacking password databases)
- MiTM (Man-in-the-Middle) attacks