You thought public WIFI was a security concern – beware public charging stations!

29 Aug 2024, by Slade Baylis

Most people these days are aware that public WIFI  is something to be wary of, which is great as they can potentially be the first step hackers can use to break into your devices and accounts.  Perhaps driven by all the advertisements online from different VPN providers – which eagerly warn about the dangers of logging into your accounts over unencrypted networks - people now look at these “free” public services with due levels of caution.  However, the lesson that should be learnt here, is that it's not just "public WIFI" that is a potential threat, but that "anything public” can be.

Even as far back as 2011, the U.S. Department of Homeland Security was aware of this threat and ran a test to see how hard it would be for hackers to gain access to their systems¹.  In the test, staff secretly dropped CDs and USBs in the parking lots of government buildings and private contractors.  The goal was to see how likely it was that staff would find these and connect them to their devices, which would be the only thing needed for a malicious actor to gain access. 

Of those who found the CDs and USBs, up to 60 percent proceeded to use them on their office computers, curious to find out what they contained.  This test then went further, placing official logos on some of the media – whereby they found that with this small change, the odds increased all the way up to 90 percent! 

Nowadays, something that is growing ever more in popularity is the use of public charging stations - which can be very useful for those who find their phones dying whilst on the move.  However, in much the same way as you shouldn’t connect a random USB to your computer, connecting your phone to an untrusted charging service could leave you vulnerable to a compromise known as “Juice Jacking”.

What is “Juice Jacking”? 

Juice jacking is a term that was coined back in 2011 by an investigative reporter named Brian Krebs², who was the first to report on this type of attack after seeing it demonstrated at DEFCON 19.  DEFCON is a hacking conference held annually in Las Vegas, attended by cybersecurity professionals, journalists, lawyers, US federal employees, researchers, and anyone with an interest in all things capable of being hacked! 

At DEFCON 19 a public charging kiosk was set up for attendees to use, which when users connected up their smartphone to, triggered a screen to display a message warning users not to connect to public charging stations. 

The message read:

“You should not trust public kiosks with your smart phone.  Information can be retrieved or downloaded without your consent.  Luckily for you, this station has taken the ethical route and your data is safe.  Enjoy the free charge!”

In fact, it’s actually worse than that.  Not only is the data on the device at risk when connected to unsecured charging stations, but malware could potentially be installed that could spread to other devices that you connect your phone to in the future - making it a potential beach-head for a much larger breach.

In terms of attacks seen “out in the wild” – which refers to attacks seen in actual use by malicious actors – there are few if any confirmed cases where it has actually been used. That being said, back in 2019, the University of Technology in Sydney warned students about the risk of juice jacking after those students reported that their devices were infected with malware after using public charging stations on campus.  As recently as 2023, the FBI³ also issued a warning to consumers urging them to avoid using public phone charging stations, stating that bad actors had figured out ways to use them to introduce malware and monitoring software on devices.

How to tell if you may have been compromised?

Whilst it’s hard to tell if your phone has been compromised, there are a few signs that may indicate you may have been hacked.

Some of these signs include: 

• The device starts operating slower all of a sudden 
• Sudden surges in battery use or rapid loss of charge
• Phone begins to operate at a higher temperature than usual
• Sudden increases in data usage, unexplained by your actual usage of your phone

One problem with the above signs is that each of them can also be explained by other factors, such as the phone aging and starting to fail. That’s why we recommend using one of the many reputable Antivirus or EDR tools for your mobile if you suspect you may have been compromised.

What are the best ways to protect yourself?

Protecting yourself from juice jacking is relatively straight forward, simply requiring that you don’t connect your phone to any other device or service that you don’t completely trust.  However, needing to charge on-the-go is still going to be a requirement for most of us, so we highly recommend planning ahead and bringing your own portable battery pack.

For those that still find themselves without a battery – or for those that consistently find themselves with spare batteries that are also running low on charge - there are actually ways that you can use public charging stations without exposing yourself to attack.  Small USB adapter data blockers (aka “juice-jack defenders”) are available that allow you to block the transfer of data over USB cables⁴, allowing only power to pass through to your device.  These adapters allow you to connect to otherwise untrusted charging services without as much worry over whether they could compromise your phone.

Though, even when purchasing those adaptors, it's still very important to make sure any device you use is purchased from a reputable supplier.  One common cyberattack is also to sell cheap USB cables and devices online that themselves are preloaded with malware or hardware meant to spy on you. 

Overall, our recommendation is to avoid connecting your phone to anything you don’t have complete trust in. Forward preparation and planning - through buying portable battery packs from a supplier you trust, as well as making sure that these are pre-charged and ready to use when you need them - is the best way to make sure that you aren’t exposing your device and your data to unknown third parties.

Have any questions about Juice Jacking?

If you have any questions about juice jacking, other USB-based threats, of just want to chat about how you can improve your security more generally, let us know!  We’re happy to have a chat about your needs specifically and provide recommendations about how to improve things.

You can reach us via email at sales@micron21.com or via phone on 1300 769 972 (Option #1).

Sources

• 1, Bloomberg, “Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy”, <https://www.bloomberg.com/news/articles/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy>
• 2 , Krebson Security, “Beware of Juice-Jacking”, <https://krebsonsecurity.com/2011/08/beware-of-juice-jacking> 
• 3, CNN, “FBI warns consumers not to use public phone charging stations”, <https://edition.cnn.com/2023/04/12/tech/fbi-public-charging-port-warning/index.html>
• 4, Security Base, “Secure USB charging: Protect Your Digital Life”, <https://securitybase.com.au/blogs/usb-hacking/prevent-juice-jacking-usb-data-locker>