"Now we get to the best part. She's actually entering in her credit card number," Stickley said as he watched Nguyen shop on Home Depot online. To find out just how easy it can be for a hacker to gain access to a charging phone, Stickley gave NBC News access to a simulation he set up along the Port of San Diego in Southern California.
Through special hardware installed in a homemade charging station, Stickley was able to watch and record everything being shown on the screen of a connected phone. And while free public charging stations have provided some relief in those situations, experts warn that powering up could give hackers a way into your personal information.
In four hours, dozens of people stopped at the makeshift charging station to power up their phones. Some expressed shock when they were told it was a setup. Hackers can load malware into charging stations at place like airports and malls, allowing them to steal the data of unsuspecting users, experts warn.
The practice, known as "juice jacking," occurs when people plug in to "juice" up their phones and hackers use malware in the charging station or USB cable to "jack" their information, such as phone numbers and passwords.
Understanding the Risk
Despite “juice jacking” being a popular area of focus for security researchers, there are scarcely any documented examples of attackers weaponizing the approach. Most of the media coverage focuses on proofs-of-concept from researchers who work for institutions, like universities and information security firms. Most likely, this is because it’s inherently difficult to weaponize a public charging station.
To hack a public charging station, the attacker would have to obtain specific hardware (such as a miniature computer to deploy malware) and install it without getting caught. Try doing that in a busy international airport, where passengers are under intense scrutiny, and security confiscates tools, like screwdrivers, at check-in. The cost and risk make juice jacking fundamentally ill-suited for attacks aimed at the general public.
There’s also the argument that these attacks are relatively inefficient. They can only infect devices that are plugged into a charging socket. Furthermore, they often rely on security holes that mobile operating system manufacturers, like Apple and Google, regularly patch.
The Risk: Charging your phone or tablet at a public charging station.
It's become commonplace to find free USB charging stations in many public areas, from airports to hospital waiting rooms. While this seems like a thoughtful accommodation, a quick recharge from a USB port in a public setting could actually put your data at risk of being stolen.
What’s Juice Jacking?
Although it has become synonymous with charging, USB technology was initially developed with the aim of transmitting data. Thus, hackers can use these public charging stations to install malware on your smartphone or tablet through a compromised USB cable. This process, called "juice jacking", allows hackers to read and export your data, including your passwords.
1) Carry a portable battery pack of your own. These are easy to find and, so long as you keep them charged up, provide the safest alternative to public USB charging hubs.
2) If you currently carry around your USB cord, keep the alternating-current (AC) adapter with you too. Yes, it will mean that you have to properly plug your device into a wall socket, but the added security of AC power only is worth the minimal space it’ll take up in your bag.
3) Buy a USB charge-only adapter, otherwise known as a "USB condom”. These clever attachments serve as an intermediary between your USB cord and the charging port, protecting your device’s data in the process.
Survey results are based on the polling of a random sample of 1,029 (January 2020) American adults (18+) via SurveyMonkey’s “Audience” platform, which ensures the demographic make-up of respondents is representative of the U.S. population. Survey respondents were paid and a confidence level of 95% was used for calculating the values above.
Some of the things a hacker can do when you plug your phone into one of these “juice jacking” USB ports are:
- Read all the data on your device
- Lock your device
- Infect your device with malware
- Steal sensitive information on your phone
- Plant a type of malware that will allow the SIM card on your phone to be cloned
You may charge up your phone and be on your way, never realizing that you just had all your phone’s data stolen.
How to Avoid Falling Victim to Juice Jacking
Because hackers infect the ports of legitimate public USB charging stations, it can be difficult for you to know which are safe and which are not.
Most people won’t just let their phone go dead if they can help it, so they may think taking the risk is worth it to get a charge when they don’t have another easy way to get one. There are some things you can do to avoid being subject to an infected USB port.
Use Electrical Outlets to Charge Instead of USB
An electrical outlet isn’t going to transfer data as a USB connection will. Make sure to bring the part of your charging cable that includes an electrical plug, and if traveling overseas, get a power adapter so you can use the different types of electrical outlets.
Many charging stations in airports and other public areas will include both a USB port and an electrical outlet for charging.
Carry Portable Power Banks
You can purchase portable power banks for around $25-$30. These allow you to charge your phone without needing to use an external source. This is very helpful to have with you when traveling, especially if you’re not going to be in a place where you can easily charge your phone or tablet.
Carrying your own small power source that is good for one or two full battery charges can help you avoid that low-battery anxiety as well as avoid potentially infected USB charging ports.
Get a Charge-Only Cord
There are charging cords that you can buy for USB charging that are “charge only.” This means that it will only allow through the power for charging but will not enable a data connection like other USB cords will. Carrying this with you provides you with a backup in case you find yourself needing to charge and a USB port is the only option. It will allow you to do it more securely.
The scam has prompted local authorities, including the Los Angeles County District Attorney's Office, to alert the public to think twice about plugging in at places like airports or malls. Stickley said that among the most critical pieces of information a hacker could gather from one's phone is a personal email, which can later be used to reset passwords.