What’s worse, your phone running out of power or someone stealing all your data?
For years now, you’ve been told that this is a choice you may face, thanks to something called “juice jacking.” Juice jacking is when someone tampers with a charging station or USB port, allowing it to leach data from your phone or install malware on it while you top off your battery. Starting in April and continuing through the summer, everyone from the FBI to the Huntley, Illinois, police department has been warning the public about juice jacking. It seems like a new, active threat.
There’s just one problem: It’s not. The chances that a phone charge will ruin your life aren’t zero, but they are exceedingly slim. There are no known instances of juice jacking happening beyond proof-of-concept demonstrations. The wave of warnings we’re getting now aren’t from actual attacks, but from previous warnings. Juice jacking is a cybersecurity ouroboros that won’t die.
“Given how many other serious and active security threats there are out there for people to legitimately worry about, it seems to me that the average user should not be worried about this at all,” Brian Krebs, the cybersecurity expert who coined the term “juice jacking,” told Vox.
The world was first introduced to juice jacking in 2011 when a demonstration at the hacking and cybersecurity conference DEF CON showed that it was possible. Brian Markus, co-founder of Aries Security, and another researcher named Robert Rowley, saw that USB charging was a potential vulnerability and built a charging station to prove it. They put the kiosk out on the floor and waited to see who would be lured in by its promises of a free and easy battery charge. More than 360 people, many of them experienced hackers and cybersecurity professionals, plugged their dying phones in without thinking twice. When they did, they were greeted with a notice on the kiosk’s screen warning them not to trust random public charging stations.
“If I can make it happen, and I can dupe hundreds and hundreds of the top professionals around the world into using it, then I think the average citizen around the block is going to fall for it,” Markus said in an interview with Vox.
Juice jacking is possible because of what Universal Serial Bus, or USB, technology was designed to do. One port serves multiple purposes: You can charge or power a device, or transfer data to and from it. If you remember the days of each peripheral needing its own proprietary cord and port, you know how much more convenient this made things. But this also introduced a new attack vector, as Markus identified: Data can be exchanged when you only intend to get power. And, back in 2011, phones automatically opened themselves up to both purposes as soon as they were connected.
Most phone manufacturers have since added a prompt asking the user if they’ll allow data to be exchanged. That’s what that “trust this device” message you get when you plug your phone into a computer is for. (If you plug your phone into something that’s just a power source, you shouldn’t get that message.) If you tap that you don’t trust the device, it can’t exchange data while the phone gets charged. This is, by the way, exactly how these things are supposed to work: Someone points out a vulnerability in technology and its manufacturers or developers figure out a way to fix it.
In the years since that DEF CON demonstration, juice jacking warnings occasionally bubble up, often worded in ways that make it seem as though these nefarious chargers aren’t just a theoretical threat but one that is out in the wild now, with a trail of hacked phones in its wake. Here are several reports from 2013, when USB “condoms” — little dongles that block data from being transferred on USB cords — went on sale. Here are a few alerts in 2016. Another crop of warnings in 2019. And here’s a wave in 2020. These scares are typically accompanied by a lot of media coverage, which rarely (with a few notable exceptions) notes that there are no known reports of these tampered charging stations being found in the world, nor of anyone’s data being stolen or malware put on their devices through them. And yet, the warnings persist.
The latest juice jacking scare cycle began on April 6 with a tweet from the FBI Denver office’s account. “Avoid using free charging stations in airports, hotels or shopping centers,” it said. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.”
A bunch of states, localities, and the media then put out their own warnings. When the FBI — or just one of its field offices — says something is a threat, people tend to take it seriously. Some of them even described this as a “new” thing, despite it first being identified 12 years ago. For example, the attorney general of Michigan, Dana Nessel, issued a warning that said “hackers will install and hide a skimming device inside the USB ports of the kiosk.” The attorney general’s office told Vox that the warning was prompted by the FBI’s tweet.
“We have not received any complaints specific to ‘juice jacking’ here in Michigan, though a victim may not know how their phone was compromised,” Danny Wimmer, spokesperson for the office, told Vox. That warning set off another flurry of media coverage from local outlets.
And what prompted the FBI Denver office’s tweet? Not a cyberattack, it turns out, but an old warning from the FCC.
“That FBI Denver tweet was a standard PSA-type post, nothing new. It stemmed from this FCC warning,” said Dana M. Plumhoff, spokesperson for the FBI’s Denver office. “This was a general reminder for the American public to stay safe and diligent, especially while traveling.”
You wouldn’t know this if you looked at the FCC’s juice jacking warning now. The agency updated it at the end of April to reflect the increased attention it indirectly caused. But with an updated 2023 timestamp and a new URL, the webpage appears to be an entirely new warning. The FCC was careful to say in this iteration that it’s not aware of any instances of juice jacking, just that it’s theoretically possible.
The FCC didn’t respond to a request for comment on what prompted the 2019 warning, but it appears to be an alert from the Los Angeles County District Attorney’s Office. That office told TechCrunch that it didn’t have any cases of juice jacking, and the warning was part of a consumer education campaign. The spokesperson did say they knew of cases of this happening on “the east coast,” but was unable to provide any more details than that when pressed.
So, why does this keep coming up? Well, it’s about something most of us have done — charged our phones in a public place — and never thought twice about. It sounds plausible because it is, especially if you’re thinking about other, similar, very real and active examples of criminals using public devices to steal from you, like credit card skimmers. It feels like something anyone could fall for, and the consequences can be devastating.
Here’s the good news: Most — though not all — phones out there have that trust warning. Phone batteries have also gotten better over the years, increasing the length of time you need between charges. But maybe you have an old phone, or your phone’s operating system doesn’t have this warning. Maybe you don’t trust yourself not to tap the “trust” button by mistake when it pops up.
Or maybe you just aren’t comfortable with even the theoretical possibility that this could happen. After all, just because it doesn’t seem to have happened yet in the 12 years since it first came to the public’s attention doesn’t mean it never will. Markus says it’s relatively simple to create a seemingly legitimate charging station and place it in a high-traffic area where a lot of people are likely to be trying to charge their phones. Then, all a hacker would have to do is sit back and wait for victims.
“It is still an active risk,” Markus said. “I personally believe that charging ports at the airports are susceptible.”
With that in mind, if you’re inclined to be extra cautious, there are a few easy things you can do to protect yourself.
- Don’t use a charging station: Obviously. But when your battery is running low and you’re not getting back to a trusted charger any time soon, that’s not a big help. So …
- Bring an external battery with you: You won’t have to plug your phone in for a charge if you’ve got your own supply.
- Don’t charge through a USB port: The USB ports are the threat here. Old-fashioned electrical sockets are secure. Bring your own cord that plugs into the wall for power without worry.
- Use a charging cord you trust: Hackers have also figured out how to steal your data through certain USB charging cables, although this threat appears to be as theoretical as juice jacking. Still, if you’ve come this far and you’re this worried about insecure USBs, you might as well go all the way.
- Buy a condom for your USB cord: Yes, these exist. They make it technologically impossible to transfer data, and they’re pretty small and easy to carry around. Just make sure you’re buying a known brand from a reputable place.