Here’s another risk to add to the many issues that business travelers and their organizations must address: juice jacking — a type of cyberattack that involves malicious wall chargers or compromised mobile accessories.

Public USB power charging stations are now ubiquitous in the spaces business travelers frequent, including airports, hotels and other points of transit or accommodation. That’s why every business traveler and organization needs to understand that these resources could be hijacked by cybercriminals as a conduit for delivering malware or stealing sensitive data.

What Is Juice Jacking?

It seems like everybody is suddenly talking about juice jacking, which is likely due in large part to the Los Angeles County District Attorney’s Office declaring that it’s a real threat in a recent security alert. But what is juice jacking, exactly?

USB charging ports in airports, hotels and elsewhere can be replaced with modified versions capable of delivering malware to devices once they’re plugged in. An even easier method is modifying an AC adaptor or even a charging cable to do the same thing. This works, of course, because the USB standard is designed to convey both electricity and data. At public charging stations, people are thinking of using USB only for charging, but cybercriminals intend to use it to steal data or for malware delivery.

The History of Juice Jacking

The data security world first heard about the threat of juice jacking at DefCon in 2011. Researchers from Aires Security set up a public charging kiosk at the event’s “Wall of Sheep” area as part of an experiment about the viability of juice jacking. The kiosk screen advertised a free cell phone charging kiosk, but when users plugged in their devices, the screen changed to a warning about the possibility of a malware payload from public charging stations.

A year later, security researcher Kyle Osborn described an attack called Phone to Phone Android Debug Bridge (P2P-ADB), which used USB OTG (on-the-go) features. That attack involved a cable called the Kos Cable that could enable one Android phone to attack a second Android phone via USB. Specifically, the attack would unlock the victim’s phone and steal authentication keys that provided access to their Google account.

Juice jacking reared its ugly head again at the Black Hat conference in 2013, where a proof-of-concept called Mactans was introduced by Georgia Tech researchers. Mactans used electronics that could fit into a USB wall charger or AC adaptor to deliver iOS malware in 80 seconds. The attacked iOS device would appear normal, and a Trojan would be launched next time the user opened Facebook. The researchers used a low-cost BeagleBoard to power the device.

In 2015, a security researcher named Samy Kamkar introduced an Arduino-based USB AC adaptor called KeySweeper, which could capture (as well as decrypt and record) all keystrokes from any Microsoft wireless keyboard within range.

One year after that, another proof-of-concept hijacked the ability of smartphones to mirror their displays onto another monitor, thereby creating a new security buzzword: “video jacking.” Demonstrated at DefCon, the video jacking attack, which was also developed by Aries Security, involved a USB charging cable that would record and send video footage from a smartphone screen once a connection with the phone was established. This would enable the theft of any personal or authentication data that might appear onscreen. This attack method could affect anyone using an HDMI-ready smartphone.

How Big Is the Threat, Really?

The Federal Bureau of Investigation (FBI), the LA County District Attorney’s Office and even the Better Business Bureau (BBB) have warned the public about the dangers of juice jacking. But some security experts dismiss the threat, claiming that all the news around it comes from ethical researchers demonstrating proof-of-concept hacks and that no known instances of juice jacking have appeared in the wild. Also, modern smartphones now alert users when data is being transferred.

Even so, every threat is theoretical until it isn’t, and when we find out about a new attack in the wild, the data will already have been stolen.

If the remedies for protecting against juice jacking were difficult, complicated or expensive, then these pains would have to be weighed against the low probability of an attack, but the remedies are easy and cheap. It’s also worth pointing out that cybercriminals are increasingly focusing their efforts on attacks against business travelers.

How to Prevent Juice Jacking

Here are some best practices for avoiding juice jacking attacks, which should be part of your ongoing security training programs:

  • Don’t use public charging stations that offer USB ports.
  • Use your own AC charging adaptor and your own cables to plug into electrical outlets.
  • Carry a high-quality, certified mobile battery so you don’t have to rely on power sources of opportunity.
  • Don’t use somebody else’s PC for charging your mobile device.
  • Use a USB data blocker dongle, which is a product that disables data transfer for USB cables.

A Few Finer Points on the Art of Defeating Juice Jacking

Preventing juice jacking isn’t just about juice jacking per se; it’s also about training executives and employees to categorize accessories like dongles and other devices into one of two categories — able to convey data or unable to convey data. Associates must be wary of anything that fits into the second category. If it can transfer data, it’s usable for malware delivery. Good practices around charging equipment are now a critical element of a larger, integrated approach to cybersecurity.

One of the arguments against juice jacking jitters is that there are easier ways to steal data. For example, simply deploying a honeypot Wi-Fi hot spot at the airport is an easy and common way to attack mobile devices in the area. But certain targets, such as executives, government or military officials, or anyone with high-value data, can be harder to attack using more common methods. A motivated attacker might deploy multiple attack vectors, and this is especially true with regard to industrial espionage attacks. At a target-rich conference, for example, it would be easy to install modified USB charging ports in hotel rooms.

Yet another method for prevention is using a data blocker — a so-called “USB condom” — though this avenue is slightly inconvenient. You have to buy it, carry it, remember to use it and then suffer through the slower charging times these devices typically cause. Also, these data blockers are generally available for USB 2 connections but usually don’t work for faster USB 3 connections. The dongles typically cost around $10, so it makes sense to buy one and carry it with you in case you ever find yourself in desperate need of power from either a public charging station or a potentially infected computer.

One more point to keep in mind is that many anti-juice jacking methods involve using authorized cables and adaptors. Even if you or your organization isn’t worried about this specific threat, it’s still a good idea to use good charging practices. Cheap, unauthorized or knock-off cables can reduce battery performance and even put devices at risk of being damaged. Bad cables and adaptors also represent a fire risk, so using known, reputable charging cables and adaptors is always a good practice anyway.

The bottom line is that juice jacking is either a rare or currently unpracticed attack that’s brimming with potential for cybercriminals and spies. Because the remedies are so easy and inexpensive and tend to offer other benefits as well, it makes sense to integrate anti-juice jacking measures into your organization’s overall cybersecurity plans.

More from Data Protection

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…