Juice Jacking: the trap of public charging stations

Security Awareness
13 June 2023
Juice Jacking

We all know the annoying feeling of having our phone out of charge and, therefore, unusable and not having our power supply with us. So what could be more natural than to recharge it wherever possible, perhaps using one of the convenient charging stations installed in public places?

Here, this operation, which is apparently trivial, instead involves a lot of risks and should be avoided by resisting the urgent need to have our device operational again.

The recommendation comes even from the FBI, which has launched an alert about the risk of the attack called “juice jacking”, through which fraudsters can use public USB ports to steal data and introduce malware and software that are capable of breaching the security systems of devices.

The Federal Communication Commission (FCC) has also warned users about another aspect: cybercriminals could even leave modified cables connected to the charging station, to be used to spread malware directly to the devices.

What is Juice Jacking?

The definition of “juice jacking” was coined by Brian Krebs in 2011 and refers to the attempt to access smartphone data using the USB⁠power (juice) cable (jack) as a communication channel. With the latter, it is possible to recharge the phone by connecting it, for example, to a USB port of the computer or to a USB charging socket such as those present in hotels or in many public places.
But the same cable is also used for data transmission and to synchronise content between the smartphone and the computer. And the problem is right here because by attaching your smartphone to a public USB socket, you unknowingly risk connecting it to another computer and thus exposing it to an attack. Today, this type of fraud has become widespread precisely because of the increase in free charging areas and the practice of remote working, especially when there are stations shared by multiple users.

How it works

The violation usually involves installing software (malware) or simply secretly copying the data contained in a phone or tablet or laptop. According to experts, Android devices are more exposed than devices made by Apple, but no device can be considered completely safe in relation to this practice. The kicker is that, even if we disconnect that cable from our device, the risk can continue. Data tracking can take place even after the attack, allowing hackers to continue stealing data, information, photos and videos. The risks of this phenomenon also include the use of “cryptominers”,processes hidden within an app, website or link that can use the infected computer’s resources to generate cryptocurrency on behalf of hackers without the owner’s knowledge; or spyware or trojans,which are capable of damaging the device, or ransomware that digitally seizes data by means of encryption, and then asks for a ransom, usually of a financial type.

In short, an operation that may seem harmless, such as recharging a mobile phone, can have very serious consequences.

How to protect yourself

The FBI recommends that you always carry your charger or a powerbank (backup battery) with you.
In addition, if you cannot do without using a public USB port, it is advisable to use a cable for power/charging only: that is, without the “wires” used for data transmission. In any case, it is always important to turn off the phone before charging it.
The FBI’s website also provides several other standard tips, such as routinely changing passwords and equipping yourself with effective antivirus tools. In addition to these, it also recommends not carrying out sensitive operations, such as money transactions, online purchases by credit card or logging in to sensitive sites such as those of your bank or related to your professional life, when you are connected to a public network.
These are all very useful recommendations, upstream of which there should still be solid ongoing training on cyber risks. The best defence against attacks that can be found today in every area of our daily lives is not a list of rules to learn and remember, but a solid digital posture that makes us firm and unassailable and that can only be acquired by following a substantial, continuous and good-quality training course.


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more