Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×

Search

Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

The FBI Is Warning About ‘Juice Jacking.’ Are Public Charging Stations Safe?

You can easily protect your smartphone, other devices from malware that’s not widespread


spinner image A man plugging a charger into a USB port in a public place
GETTY IMAGES

If you’ve ever been anxious about your phone running out of battery power in an airport, recent advisories from two government agencies added to the concerns: Using a public USB charging port could get your device hacked, they said.

“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver field office tweeted April 6, an echo of a news release from the FBI’s Portland, Oregon, office in November 2020. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.”

spinner image Image Alt Attribute

AARP Membership

Join AARP for $12 for your first year when you sign up for Automatic Renewal. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine

Join Now

The Federal Communications Commission followed April 11 with an update of its 2019 advisory. 

“If your battery is running low, be aware [of] juicing up your electronic device at free USB port charging stations,” the notice says. “You could become a victim of ‘juice jacking,’ yet another cybertheft tactic.”

What is juice jacking?

Like carjacking and skyjacking before it, juice jacking is a catchy phrase that plays on words — juice as the slang for battery power and jacking for hijacking. The concern is you could unknowingly download malicious software that can siphon off your files and passwords or lock a device until you’re forced to buy a bogus cure for the problem.  

The alliterative juice-jacking label prompted myriad media outlets to jump on the story, many without noticing that something was missing in the agencies’ warnings: actual case counts or complaints.

Asked if its April 6 warning came from knowledge of a specific threat, the FBI’s public affairs office calls it “a general reminder for the American public to stay safe and diligent, especially while traveling.”

The FCC also can’t point to new information or document cases of juice jacking. Nor can the agency that runs the capital’s Ronald Reagan Washington National Airport and Washington Dulles International Airport.

“We have not received reports of malware being detected in airport USB ports,” says Rob Yingling, a spokesman for the Metropolitan Washington Airports Authority.

Juice jacking is technologically possible

Perhaps the earliest warning came at a 2011 Def Con hackers conference when cybersecurity company Aries Security built a charging kiosk to educate attendees about the risks. In 2013, researchers compromised iPhones using malicious USB ports during a demonstration at the Black Hat cybersecurity conference, and in 2016 researchers confirmed a similar vulnerability in some Samsung Android phones.

Technology & Wireless

Consumer Cellular

5% off monthly fees and 30% off accessories

See more Technology & Wireless offers >

But several security experts say they have yet to see the threat at public charging stations.

In contrast, the FBI estimates that another type of data hijacking, credit card skimming, costs consumers and financial institutions more than $1 billion every year. Thieves can steal your credit or debit card information by attaching tough-to-see gadgets on ATMs, gas pumps and other locations where you insert your magnetic card into a machine.

“I got annoyed by the FBI announcement [on juice jacking] because it lacked any evidence that this is a widespread problem, let alone a problem at all,” says Chris Wysopal, cofounder and chief technology officer at the software-integrity firm Veracode in Burlington, Massachusetts. His conversations with other security professionals have yet to surface cases of juice jacking.

Your best defense? Updated software

With up-to-date smartphone software, experts consider the real risk minimal.

“What the attacker is actually doing is exploiting a vulnerability on your phone,” says Melanie Ensign, a security adviser who helps run the Def Con and Enigma security conferences. The vulnerability doesn’t live inside the USB port.

7 ways to keep your electronics safe from juice jacking

1. Tote your own charging cables.

2. Plug your own charger into an electrical outlet.

3. Carry a backup battery pack.

4. Keep your operating system and apps up to date.

5. Lock your phone or turn it off before plugging it in at a public charging station.

6. Don’t allow your device to share data while charging.

7. Consider using a USB data blocker cable if you need a public charging station.

“The most important thing to do is keep your software and firmware updated,” she says. That means the apps that let you find bargainslisten to musicnavigate around town, play games or share on social media and the operating system that runs your devices.

The first choice for both Apple’s iOS and Google’s Android operating systems is to use a new Lightning or USB connection only for charging. If you plug an iPhone into a random computer, it will display a dialog asking if you want to trust that device with Don’t Trust highlighted in bold. Android phones show a Charging this device via USB dialog, which you have to tap through to allow file transfers.

spinner image membership-card-w-shadow-192x134

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine.

The FCC warning gets that right, advising: “If you plug your device into a USB port and a prompt appears asking you to select ‘share data’ or ‘charge only,’ always select ‘charge only.’”

Wysopal offers an additional tip: Lock your phone before you plug it into a public USB port.

“Locking your phone shuts off data over the USB port so that attacks are pretty much impossible,” he says. Turning the phone off completely before charging will also work.

Or you can buy a USB data blocker for about $7. The adapter has pins to transfer only power, not data, on its phone end. Spending a little more will get you a charger with multiple USB ports that works with any power outlet and will top up your battery faster than most public USB stations.

Other issues are more of a concern

It’s important to remember that attackers who want to steal information from random phones don’t need to tamper with faraway chargers or even leave their homes. They can ship “free” apps that quietly collect and share data.

“I still use public USB ports when I need to,” Ensign says, knowing her best defense is updated software. “Consumers have enough things to stress about. This really shouldn’t be one of them.”

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?