Why you shouldn’t charge your phone at a public USB port
Here's what the FBI is sharing about a hacking technique called "juice jacking."
Public USB ports seem like a convenient way to charge your phone. But, as the FBI’s Denver field office recently tweeted, they may not be safe. With a technique called “juice jacking,” hackers can use public USB ports to install malware and monitoring software on your devices. Theoretically, the kind of tools that can be installed this way can allow hackers to access the contents of your smartphone and steal your passwords, so they can do things like commit identity theft, transfer money from your bank account, or simply sell your information on the dark web.
While “juice jacking” is just one of the ways that USB devices can spread malware, it’s a particularly insidious technique as you don’t need to be targeted directly. Just plugging your smartphone into a USB port in an airport, hotel, shopping center, or any other public location could be enough for your data to get stolen. According to the FCC, criminals can load malware directly onto public USB charging stations, which means that literally any USB port could be compromised. While any given bad actor’s ability to do this likely depends on the particular kind of charging port and what software it runs, it’s also possible that criminals could install an already-hacked charging station—particularly if they have the assistance of someone who works there.
In other words, there is no way guarantee that a public USB port hasn’t been hacked, so the safest option is to assume that they all come with potential dangers. And it’s not just ports—free or unattended USB cables could also be used to install malware.
The issue lies with the USB standard itself. As The Washington Post explains, USB-A cables (the standard one) have four pins—two for power transfer and two for data transfer. Plugging your smartphone into a USB port using a regular USB potentially means connecting it directly to a device that can transfer data to or from it. And although the Post cites an expert saying that he recommends using newer devices that charge over USB-C, even they are not immune to juice jacking attacks. (Nor for that matter are iPhones that charge over a lightning cable.)
Software engineers for both Android and iOS devices have taken some steps to mitigate the risk of having user data stolen or malware installed over public USB ports. However, our coverage of all the various “zero day” attacks (or previously undiscovered vulnerabilities) should be enough to convince you that even keeping your smartphone up to date with all the latest security patches may not be sufficient to protect you against every new and emerging threat.
So what can you do? Well, the simplest option is to just bring your own charging cable and wall plug. Unless you are the target of an Ocean’s 11-worth heist, it is highly unlikely that your personal charging cable or plug is compromised. Just make sure to plug directly into an AC power outlet, and not a USB outlet.
If you’re traveling internationally and aren’t sure about what sort of plugs you will have access to, a USB battery pack and your own charging cable would be good to have handy. You can also charge directly from other personal devices like a laptop.
There are power-only USB cables and devices called “USB condoms” that block all USB data transfer, but they’re likely a less ideal options, purely because you need to remember to bring a special cable rather than your standard USB cable.
And if you do absolutely have to connect to a public USB port, keep a close eye on your smartphone. If you get a popup asking if you trust the device, saying you have connected to a hard drive, or notice any kind of strange behavior, disconnect it immediately. Though seriously—your best bet is to just bring your own charger.