When your battery is dying then your mobile phone has a requirement of recharging yet again and you are away from the charger at home. Then the public charging facility is the only easy way to recharge, just plug in your mobile phone and get the energy you seek. What’s gonna be wrong, right? Now I’m going to describe briefly What Is Juice Jacking, the harmfulness of it & how to avoid it.
What Is Juice Jacking?
Anyway the modern smartphone you have that could be an Android device, iPhone, or BlackBerry, there is one common facility in all phones that is the power supply and the data transfer with the same cable. Whether it could be the standard USB mini B connection or Apple’s proprietary cables, there is the same situation: the cable which is used for recharging the battery in your smartphone is the same cable you use to transfer and sync your data.
The power/data cable that you see in public charging stations, provides unauthorized access to hackers during the charging process; leveraging illegal access to get your personal information taken away. This is called Juice Jacking – one type of cyber attack which begins from a USB charging port installed at public places such as airports, cafes, bus stands, etc. When the phone is plugged-in and the connection is done, it either installs malware or privately transcripts personal data from a mobile phone, tablet, or any other computer device.
This hacking could be so easy like extracting all your contact details, private information & pictures, or can be an incursive attack by injecting malicious code directly into your device which can copy all your passwords of financial data.
How does juice jacking work?
A USB port is mostly used as a medium for data transfer. A regular USB connector has five pins. Among them, only one is required to charge the device & two of the other pins are used for data transfers.
As we all use USB ports for charging our devices, as usual, we open up the files transferring option between devices. Here the hackers use off-the-shelf hardware that gets installed on the charging port of public charging stations. These are specifically designed to break the security and get access to connected devices information as soon as the connection is established. And you can lose all your data without even knowing about it.
What Is Juice Jacking & How Worried Should I Be?
We’re anything but alarmist here at How-To Geek, and we always give it to you straight: currently, juice jacking is an exceedingly theoretical threat, and the chances that the USB charging ports in the kiosk at your local airport are a secret front for a data siphoning and malware-injecting computer are very low. This doesn’t mean, however, that you should just jerk your shoulders and promptly forget about the very real security risk that plugging your smartphone or tablet into an unknown device poses.
Several years ago, when the Firefox extension Firesheep was the talk of the town in security circles, it was precisely the largely theoretical but still very real threat of a simple browser extension allowing users to hijack the web-service user sessions of other users on the local Wi-Fi node that led to significant changes. End users started taking their browsing session security more seriously (using techniques like tunneling through their home internet connections or connecting to VPNs) and major internet companies made major security changes (such as encrypting the entire browser session and not just the login).
In precisely this fashion, making users aware of the threat of juice jacking both decreases the chance that people will be juice jacked and increases pressure on companies to better manage their security practices (it’s great, for example, that your iOS device pairs so easily and makes your user experience smooth, but the implications of lifetime pairing with 100% trust in the paired device are quite serious).
Types of juice jacking
There are two ways juice jacking could work:
- Data theft: When your phone is charging, data is stolen from the connected device.
- Malware installation: When the connection is built, malware is injected into the connected device. The malware remains on the device until it is detected and removed by the user.
In the first type of juice jacking attack, cybercriminals could steal all data from mobile devices connected to charging stations through their USB ports. But no hoodie-wearing hacker is sitting behind the controls of the kiosk. So how would they get all your data from your phone to the charging station to their servers? And if you charge for only a couple of minutes, does that save you from losing everything?
Don’t mistake, data theft can be fully automated. A cybercriminal could break an unsecured kiosk using malware, then drop an additional payload that steals information from connected devices. Some crawlers can search your phone for personally identifiable information (PII), account credentials, banking-related, or credit card data in seconds. Many malicious apps can clone all of one phone’s data to another phone, using a Windows or Mac computer as a middleman. So, if that’s what hiding on the other end of the USB port, a threat actor could get all they need to impersonate you.
Cybercriminals are not necessarily targeting specific, high-profile users for data theft, either—through a threat actor would be extremely happy (and lucky) to fool a potential executive or government target into using a rigged charging station. However, the chances of that happening are rather slim. Instead, hackers know that our mobile devices store a lot of PII, which can be sold on the dark web for profit or re-used in social engineering campaigns.
The second type of juice jacking attack would be done by installing malware into a user’s device through the same USB cable. This time, data theft isn’t always the end goal, though it often takes place in the service of other criminal activities. If threat actors were to steal data through malware installed on a mobile device, it wouldn’t happen upon USB connection but instead, take place over time. This way, hackers could gather more and varied data, such as GPS locations, purchases made, social media interactions, photos, call logs, and other ongoing processes.
There are multiple categories of malware that cybercriminals could use while juice jacking, including adware, cryptominers, ransomware, spyware, or Trojans. Android malware nowadays is as versatile as malware addressed at Windows systems. While cryptominers mine a mobile phone’s CPU/GPU for cryptocurrency and drain its battery, ransomware freezes devices or encrypts files for ransom. Spyware allows for long term monitoring and tracking of a target, and Trojans can hide in the background and serve up any number of other infections at will.
Most of today’s malware is designed to hide from sight so that users could be infected for a long time and not know it. Symptoms of a mobile phone infection include a quickly-draining battery life, random icons appearing on your screen of apps you didn’t download, advertisements popping up in browsers or notification centers, or an unusually large cell phone bill. But sometimes infections leave no trace at all, which means prevention is all the more important.
What Is Juice Jacking & How can I protect my data from Juice Jacking?
Although juice jacking isn’t as comprehensive as outright phone theft or exposure to malicious viruses via compromised downloads, you should still take common-sense precautions to avoid disclosure to systems that may malicious access your devices.
The most obvious precautions center around simply making it unnecessary to charge your phone using a third-party system:
Keep your devices fully charged: This is the most obvious precaution. Make it a practice to charge your phone before you go outside. Try and reduce the example of a low battery while you are traveling. Charge it fully before you step out.
Carry a Personal Charger: Chargers have become so small and lightweight that they just take up more than the actual USB cable they attach to. Throw a charger in your bag so you can charge your phone and maintain control over the data port.
Carry a Backup Battery: Alternatively, you can carry a full spare battery (for devices that allow you to physically swap the battery) or an external reserve battery (like this tiny 2600mAh one), you can go longer without needing to tether your phone to a kiosk or wall outlet.
In addition to ensuring your phone maintains a full battery, there are additional software techniques you can use (although, as you can imagine, these are less than ideal and not guaranteed to work given the constantly evolving arms race of security exploits). As such, we can’t truly endorse any of these techniques as truly effective, but they are certainly more effective than doing nothing.
Lock Your Phone: When your phone is locked, I mean truly locked and inaccessible without the input of a PIN or an equivalent passcode, it cannot be paired with any device. Be cautious not to use your face/fingerprint id for even a second since pairing can happen within a flick of a second. So you have to make sure that the phone is locked and don’t unlock it while it is in the charging station.
Switch off or Power the phone down: This technique only works on few mobile models as some phones, despite being powered down, still powers on the entire USB circuit and allows access to the flash storage in the device. Hence, this may not be an optimum solution always.
Use a USB condom: It is a device that goes between your normal data charging cable and a USB port to block data transfer through the connection. USB condoms are adapters that allow power transfers but don’t connect the data transfer pins. You can attach them to your charging cable as “always-on” protection.
Use specialized cables: You can buy a special USB cable that doesn’t have pin-out connections for pins 3 and 2. Therefore it’s impossible to transmit data across the connection. There are companies which make such kind of cables for iPhone, Samsung, HTC, Google, etc. These cables are meant for charging only and prevents data from being transferred anywhere.
Disable Pairing (Jailbroken iOS Devices Only): Jonathan Zdziarski, mentioned earlier in the article, released a small application for jailbroken iOS devices that allows the end-user to control the pairing behavior of the device. You can find his application, PairLock, in the Cydia Store and here.
Conclusion – What Is Juice Jacking!
Finally, the best protection against an endangered mobile device is awareness. Keep your device charged, enable the security features in-built in your system (knowing that they aren’t foolproof and every security system can be exploited), and avoid plugging your phone into unknown charging stations and computers the same way you wisely avoid opening attachments from unknown senders.