The Federal Bureau of Investigation (FBI) in the United States recently warned consumers against using USB ports for charging in public spaces such as airports, malls, and hotels, as attackers can “juice jack” data or insert malware into one’s phone or device for theft.
While the public service announcement released on Twitter was meant for Americans, many other countries, like the Philippines, also have public establishments with free charging stations as emergency assistance to consumers. The threat of a juice jack attack exists everywhere people plug their devices into untrusted ports, like in public charging stations.
Sean Duca, Vice President, and Regional Chief Security Officer for Asia Pacific & Japan at Palo Alto Network shared, “We should always remember that nothing in the world is free. Trusting public charging kiosks with your smartphone carries a significant risk of personal information being retrieved or downloaded without your consent.”
The recipe for a juice jack attack
A USB (universal serial bus) cable is the key ingredient in a juice jack attack. USB cables are designed with two wires for data transfer and power, respectively. Juice jacking happens when malicious actors embed malware into charging stations and activate data transfer through USB cables to infect connecting devices.
The malware, now on the connected device, can then use seemingly normal notifications to trick people into giving it access. Examples include an app asking permission to access files similar to what social media platforms do or operating systems requiring users to authorize a new update. If not given focus, users could simply allow these requests without considering the risks of such a stealthy threat.
Once access is granted, the situation resorts to the classic scenario of attackers being able to crawl into the victim’s files and applications to collect sensitive information, including bank account credentials or credit card details, to steal data or money.
Resisting juice jacking
What’s the juice to countering a juice jack attack? Duca points back to the power of controlling access within one’s device. “Malware requires a user’s permission, much like any other app on your phone, before it can actually infect a device. The users are the last gate to keeping malware away, so it’s really important for them to think before they click and challenge why an app would request access to your personal information.”
He elaborated further that many mobile apps request access to a user’s data on a device, claiming that doing so will allow users to enjoy the app to its fullest potential. With this being the norm today, users tend to grant permission without considering the risks.
“Public charging stations also carry the threat of malware infection and data theft, similar to the dangers of public Wi-Fi networks. As a mobile-savvy nation, Filipinos need to be prepared to handle this risk by questioning whether we can trust our data with another device and understanding how it can be misused from the get-go,” he concluded.