Aurich Lawson | Getty Images
Federal authorities, tech pundits, and news outlets want you to be on the lookout for a scary cyberattack that can hack your phone when you do nothing more than plug it into a public charging station. These warnings of “juice jacking,” as the threat has come to be known, have been circulating for more than a decade.
Earlier this month, though, juice jacking fears hit a new high when the FBI and Federal Communications Commission issued new, baseless warnings that generated ominous-sounding news reports from hundreds of outlets. NPR reported that the crime is “becoming more prevalent, possibly due to the increase in travel.” The Washington Post said it’s a “significant privacy hazard” that can identify loaded webpages in less than 10 seconds. CNN warned that just by plugging into a malicious charger, “your device is now infected.” And a Fortune headline admonished readers: “Don’t let a free USB charge drain your bank account.”
The Halley’s Comet of cybersecurity scares
The scenario for juice jacking looks something like this: A hacker sets up equipment at an airport, shopping mall, or hotel. The equipment mimics the look and functions of normal charging stations, which allow people to recharge their mobile phones when they’re low on power. Unbeknownst to the users, the charging station surreptitiously sends commands over the charging cord’s USB or Lightning connector and steals contacts and emails, installs malware, and does all kinds of other nefarious things.
“Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator,” the FCC warned earlier this month. “Criminals can then use that information to access online accounts or sell it to other bad actors. In some cases, criminals may have intentionally left cables plugged in at charging stations. There have even been reports of infected cables being given away as promotional gifts.”
A few days earlier, the FBI’s Denver field office issued its own juice jacking alert, writing in part, “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.” Not to be outdone, Michigan Attorney General Dana Nessel said juice jacking “is yet another nefarious way bad actors have discovered that allows them to steal and profit from what doesn’t belong to them.”
Contrary to the government communications, the vast majority of cybersecurity experts do not warn that juice jacking is a threat unless you’re a target of nation-state hackers. There are no documented cases of juice jacking ever taking place in the wild. Left out of the advisories is that modern iPhones and Android devices require users to click through an explicit warning before they can exchange files with a device connected by standard cables.
-
The initial warning seen when plugging in an iPhone.
-
The following screen, which requires a password.
-
The screen that appears after a Pixel 7 is plugged into a Windows 10 laptop and the user pulls down.
-
The screen after the user clicks the down arrow.
-
The screen after the user taps more options.
-
The sceen after the user selects File transfer / Android Auto
“At a high level, if nobody can point to a real-world example of it actually happening in public spaces, then it’s not something that is worth stressing about for the general public,” Mike Grover, a researcher who designs offensive hacking tools and does offensive hacking research for large companies, said in an interview. “Instead, it points to viability only for targeted situations. People at risk of that, hopefully, have better defenses than a nebulous warning.”
He added: “I have heard about people intentionally altering the voltage of public chargers, but that’s just dumb, malicious stuff. When it comes to public charge sources, I feel like a bigger risk is shitty power quality and damaged connectors.”
There are edge cases that allow keyboards—or devices masquerading as keyboards—to enter commands that do malicious things when they’re connected to an iPhone and Android device. But those attacks must be customized for each different phone model being plugged in. Additionally, such techniques have significant limitations that make them impractical for juice jacking.
More about these edge cases and their shortcomings later. The long and short of it is this: No one in the past five years has demonstrated a viable juice jacking attack on a device running a modern version of iOS or Android. Apple representatives aren’t aware of any such attacks occurring in the wild (Google representatives didn’t respond to numerous requests for comment), and I couldn’t find any security experts who knew of any, either. And as noted earlier, there are no documented cases of juice jacking ever occurring in the wild.
