The FBI Is Warning About ‘Juice Jacking.’ Are Public Charging Stations Safe?

“We have not received reports of malware being detected in airport USB ports,” says Rob Yingling, a spokesman for the Metropolitan Washington Airports Authority.

Juice jacking is technologically possible

Perhaps the earliest warning came at a 2011 Def Con hackers conference when cybersecurity company Aries Security built a charging kiosk to educate attendees about the risks. In 2013, researchers compromised iPhones using malicious USB ports during a demonstration at the Black Hat cybersecurity conference, and in 2016 researchers confirmed a similar vulnerability in some Samsung Android phones.

But several security experts say they have yet to see the threat at public charging stations.

In contrast, the FBI estimates that another type of data hijacking, credit card skimming, costs consumers and financial institutions more than $1 billion every year. Thieves can steal your credit or debit card information by attaching tough-to-see gadgets on ATMs, gas pumps and other locations where you insert your magnetic card into a machine.

“I got annoyed by the FBI announcement [on juice jacking] because it lacked any evidence that this is a widespread problem, let alone a problem at all,” says Chris Wysopal, cofounder and chief technology officer at the software-integrity firm Veracode in Burlington, Massachusetts. His conversations with other security professionals have yet to surface cases of juice jacking.

Your best defense? Updated software

With up-to-date smartphone software, experts consider the real risk minimal.

“What the attacker is actually doing is exploiting a vulnerability on your phone,” says Melanie Ensign, a security adviser who helps run the Def Con and Enigma security conferences. The vulnerability doesn’t live inside the USB port.

“The most important thing to do is keep your software and firmware updated,” she says. That means the apps that let you find bargains, listen to music, navigate around town, play games or share on social media and the operating system that runs your devices.

The first choice for both Apple’s iOS and Google’s Android operating systems is to use a new Lightning or USB connection only for charging. If you plug an iPhone into a random computer, it will display a dialog asking if you want to trust that device with Don’t Trust highlighted in bold. Android phones show a Charging this device via USB dialog, which you have to tap through to allow file transfers.

The FCC warning gets that right, advising: “If you plug your device into a USB port and a prompt appears asking you to select ‘share data’ or ‘charge only,’ always select ‘charge only.’”

Wysopal offers an additional tip: Lock your phone before you plug it into a public USB port.

“Locking your phone shuts off data over the USB port so that attacks are pretty much impossible,” he says. Turning the phone off completely before charging will also work.

Or you can buy a USB data blocker for about $7. The adapter has pins to transfer only power, not data, on its phone end. Spending a little more will get you a charger with multiple USB ports that works with any power outlet and will top up your battery faster than most public USB stations.

Other issues are more of a concern

It’s important to remember that attackers who want to steal information from random phones don’t need to tamper with faraway chargers or even leave their homes. They can ship “free” apps that quietly collect and share data.

“I still use public USB ports when I need to,” Ensign says, knowing her best defense is updated software. “Consumers have enough things to stress about. This really shouldn’t be one of them.”