Juice Jacking: How to Protect Your Devices

Printer Friendly
Text Size: A A A A

http://www.groovypost.com/

If you’re killing time at the mall or the airport, you may have noticed those free charging stations. These are the kiosks with open USB ports next to an outlet for you to plug in your charging cable. Or they might even have dangling charging cables ready for your phone’s charging port. For those with a tiny sliver of battery left and a long layover, these can seem like fantastically generous boons from the airport gods.

But think about it for a minute.

This is your smartphone. It has all your photos, your contacts, your messages, your passwords and personal data on it. Do you really want to be sticking any old cable into its data port?

Hackers and infosec experts have proven that it’s possible to hijack a public charging station with a malicious device. You’ve heard of credit card skimming at the gas pump, right? This is the mobile tech equivalent. What might seem like a benign, generic USB port or charging cable may be attached to a tiny device that installs malware on your phone, or steals data off of your phone.

Do people really hack phone charging kiosks?

 

There haven't been any recent reports of an actual case of so-called “juice jacking.” But the concept has been proven in the past decade by security researchers. Most recently, a demonstration at DEF CON last August showed that a phone’s camera could be hijacked via a USB charging station in disguise (“video jacking“). And, like credit card skimming, most cases of hacking or unauthorized smartphone access go undetected.

So, yes, juice jacking is real.

How vulnerable is my phone?

 

The good news is that the mobile phone developers have been working on the issue and phones are more secure now. As you’ve undoubtedly noticed, Apple devices like your iPhone and your iPad now give you the “Trust this computer?” dialog whenever you plug your phone into a new computer or device. In theory, if you say, “don’t trust,” whichever device you are connecting to shouldn’t have access to your data. Android phones also have similar security and authentication features.

If you're plugging into a charging station that is for power only (like when you plug into the wall with your AC adapter), then you shouldn’t be prompted to “Trust this computer.” If you do plug into a public charging station and get that prompt, it’s a big red flag. Unplug your phone and let those around you know something isn’t right.

What can I do to prevent juice jacking?

 

There are a few ways to safely charge your phone in public.

Just because theoretical attacks can be launched over a hijacked public charging station doesn’t mean you have to forgo the convenience. In addition to keeping an eye out for the “Trust this computer?” prompt, there are other precautions you can take. It’s always best to have layers of protection—clever hackers may be able to circumvent the trusted device authentication.

  1. Bring your own charger. Toss a power supply or AC adapter into your purse or briefcase and use that instead. Since it’s your device, you can be sure that you’ll only be getting power out of it. Plus, you can plug into any AC outlet you want.
  2. Get a power-only USB cable. On a USB connector, there are certain pins that transmit power, and there are certain pins that transmit data. In the pinout diagram below, pins 3 and 2 are for dataPin 1 is for 5 Vdc power.

That means you can buy a special USB cable that simply doesn’t have pinout connections for pins 3 and 2. Therefore it’s impossible to transmit data across it. PortaPow sells a power-only iPhone charging cable for about $7. The same company makes a micro USB cable for charging-only that will work on Samsung, HTC, and Google phones. These cables will only charge your phone and will prevent data from being transferred across it.

Use a USB condom. A company called Syncstop makes a device that goes between your normal data charging cable and a USB port and blocks data from being transmitted. It’s roughly the same price as a power-only cable. You can get the original USB condom on Amazon for about $7. Syncstop also sells cased Syncstop devices in bulk on their website. You can get them laser-engraved for your company or as tech promotional swag.

PortaPow sells their own take on a USB condom for about the same price: the PortaPow Fast Charge + Data Block USB Adaptor with SmartCharge Chip.

Get a portable power bank. This is pricier than the above options, but more convenient. A power bank is basically a rechargeable battery with a USB plug in it. You can plug in wherever you are without being chained to the wall. You can buy portable power banks online for about $15 to $30 (depending on capacity).

If you are careful, you can significantly reduce your vulnerability. Not only that, some of the solutions—like a fast charging cable or a portable power bank—come in handy for more reasons other than one.


For more information and to view an archive of previous Tech Tips, please visit us here.

Do you have specific topics you would like to see covered in Tech Tips? Email any suggestions to communications@ficpa.org.