The FBI warns of juicejacking and other risks of public tech.

The Federal Bureau of Investigation’s (FBI) Denver office is warning against “juicejacking,” or the criminal use of public charging stations to introduce malware onto a device.

The potential capabilities of juicejackers.

CBS News reports that the FBI has advised against the use of public charging stations. No incident in particular triggered the service announcement. Rather, it was intended as a field office warning. Officials at the Federal Communications Commission (FCC) warn that malware can be distributed through corrupted ports, such as those at malls and airports, and that such malware has the potential to, for example, lock a device, or exfiltrate “personal data, and passwords directly to a criminal.” The data lifted can be used for online accounts or sold in criminal marketplaces. Matt Swinder, editor-in-chief and founder of TheShortcut.com, told CBS that "The scary part of juice jacking is that you probably won't even be able to tell that your phone is infected with malware after plugging it into a compromised USB port.” A Honeywell Forge report CBS cites notes that USB base threats rose over four years by 52%.

But fears of juicejacking may be exaggerated.

Swinder said, however, that credit card skimming is a much more pervasive threat than juicejacking, saying, "You're much more likely to have your credit card skimmed than be juice jacked, based on the lack of hard evidence of widespread cases. As rare as juice jacking is right now, the threats of identity theft have migrated from being purely physical to being primarily digital over the last decade." Graham Cluley shared his thoughts on the matter, doubting the existence of these threats and asking whether they’ve actually ever even occurred. He also notes that fear-based stories of juicejacking are nothing new. Bruce Schneier also remains noncommittal about the threat, but shares that he does, however, use a “USB condom” (a USB data blocker) when using public charging stations.

Experts weigh in on the threat.

Andy Thompson, Research, CyberArk, believes that juicejacking is not a priority and other, more pressing matters, should be a point of focus:

“Juice jacking was first introduced to me in 2011 at Defcon, where it was presented much more as a ‘proof of concept’ than a viable attack method. It happens very rarely - if at all - in the wild, but it’s important that law enforcement keeps cyberthreats top of mind for the public. You can mitigate your changes of juice jacking by using USB Data Blockers (available for under $10 on amazon) or bringing your own charging cables.

"That said, there are much bigger cybersecurity issues that should be given more focus, such as strong password management and multi-factor authentication (MFA). It is important to keep things in perspective and prioritize larger cybersecurity issues that we face today.”

Matt Wiseman, Sr. Product Manager at OPSWAT, reminds those traveling not to use public ports, and shares best practices to mitigate against juicejacking:

“According to the FBI, if you connect your phone or iPad to a public charging station that has been tampered with and infected with malware, it could potentially lock your device or allow criminals to obtain sensitive information, including passwords, addresses, banking details, and even a complete backup of your phone.  

"The FBI’s recent tweet about using free charging stations at airports, hotels and shopping centers serves as an important reminder – for both consumers and businesses alike – of how important it is to not plug in any sort of portable media or USB without first checking and validating it (this includes your cell phone). As business travel rises to pre-COVID rates again, it is especially important for companies to remind employees about the security risks of inserting or plugging in any type of portable media or connected cables – especially when corporate data and devices are involved. Here are a few best practices companies can do to mitigate “juice jacking” and other risks that portable media pose:  

"Security awareness: Malicious actors can weaponize USB charging cables, so if you use an unknown cable, you can be at risk. Also, if you use a USB port for power, people can tamper with the internals of the USB and implant devices that can work to distribute malware. USB Data Blockers are a great way to charge devices by only allowing power through. It is always best to be aware of where your hardware devices have come from and who has had access to them.  

"Control and limit the types of portable media that are permitted. USB storage media and USB cables can be a common, everyday item, but they pose a major security risk. By controlling and limiting the types of connected portable media, businesses can reduce the risk of portable media threats. For organizations that rely on portable media or cables to transfer data, it is best to invest in a security solution that can scan, validate and secure the content being transferred. We need to ensure that the media itself is free from malware, while also checking the device for any sort of threats as well.”

(Added, 8:45 PM ET, April 13th, 2023. Josh Pauli, Ph.D., Department Head of Cyber, Intel, and Info Operations, College of Applied Sci & Tech at The University of Arizona, wrote to offer a useful question-and-answer primer on charging stations and the risks that may attend them. One might ask, first, how charging stations work, and whether they themselves are computing systems. "Every charging station is different, but the critical thing to realize is users have little way of knowing what they are plugging a phone into," Dr. Pauli says, and that lack of transparency should give users pause. "Most of these kiosks are designed to be just cords or ports available for public use with no visibility into the system those cords and ports ultimately connect to. Some kiosks are just pass-through power stations, while others may be connected to a much more complex system that has all the functionality of the computers we use every day. The point it we don’t know when we walk up to a kiosk what our phones are ultimately connecting to, and that’s where the risk occurs."

How, then, might a public charging station be compromised?  "This is an attack that has been around for almost a decade after gaining traction in the hacker community at DEF CON. The 'Wall of Sheep' did a great demo of this exact topic!" he writes. "There are numerous theoretical attack vectors, but the two that users need to be most aware of are: 1) malware that has been loaded onto the computer system that your phone ultimately connects to at a kiosk, and 2) malware that has been loaded onto a USB cord that is available at a kiosk. In either instance, a user’s phone is infected with malware when connected or when allowing data to be transferred."

Is there a particular risk that such stations might pose to enterprises that allow employees to work remotely, or to bring their own device? In Dr. Pauli's view, probably not. "This attack isn’t specific to remote workers or workers using their own devices. At a more macro level, this attack isn’t even specific to employees, as the risk is the same for any device user. Consider users who conduct enterprise activities, such as email or financial transactions, from a personal or enterprise-issued device and choose to use these kiosks. That’s the same risk as a person using a phone to log into a social network or make online purchases who plugs in next to you at the same kiosk. The bottom line: all sorts of users using all sorts of devices for all sorts of reasons are susceptible to the same risk with this attack."

So given the risk, what's the solution for safe charging? "Take matters into your own hands, literally," he says. There's some readily available hardware that can mitigate the risk. "Pack a plug-in and cord to use in a standard electrical plug-in. Likewise, consider packing a battery pack ('power bank') and a charging cord, and don’t rely on any external resources. You can also use a 'charge only' cord if you must use a power source like a public kiosk. You should also be aware of any odd behavior on your device while plugged into these kiosks. Read any prompts from your device before clicking “accept” or “continue,” as most devices will ask for permission before sending data to an external destination.")

(Added, 9:00 PM ET, April 13th, 2023. Thomas Pace, CEO of NetRise, agrees with the FBI Denver office that there's a risk here. "They [that is, the criminals] are likely setting up fraudulent charging stations or replacing components of legitimate ones where possible. They could also be adding additional components similar to a skimmer on an ATM machine. This is not a WFH/BYOD problem, people can also charge their corporate assets using these stations such as iPads or even laptops. However, if corporate email and other services are running on these devices then this can cause problems for the enterprise if they are compromised." And he too sees the possibility of mitigating risk with the right hardware accessories. "You can carry your own chargers with you as one solution. You can also carry data blockers which are funny enough also called USB condoms. This prevents the data side of the charging station from working and only allows the device to charge, but not transfer data in either direction.")