If you’re killing time at the mall or the airport, you may have noticed those free charging stations. These are the kiosks with open USB ports next to an outlet for you to plug in your charging cable. Or they might even have dangling charging cables ready for your phone’s charging port. For those with a tiny sliver of battery left and a long layover, these can seem like fantastically generous boons from the airport gods.
But think about it for a minute.
This is your smartphone. It has all your photos, your contacts, your messages, your passwords and personal data on it. Do you really want to be sticking any old cable into its data port?
Hackers and infosec experts have proven that it’s possible to hijack a public charging station with a malicious device. You’ve heard of credit card skimming at the gas pump, right? This is the mobile tech equivalent. What might seem like a benign, generic USB port or charging cable may be attached to a tiny device that installs malware on your phone, or worse, steals data off of your phone.
Wait, do people really hack phone charging kiosks?
I can’t say that I’ve come across a recent news article that reports an actual case of so-called “juice jacking.” But the concept has been proven in the past decade by security researchers. Most recently, a demonstration at DEF CON last August showed that a phone’s camera could be hijacked via a USB charging station in disguise (“video jacking“). And honestly, like credit card skimming, most cases of hacking or unauthorized smartphone access go undetected.
So, yes, juice jacking is real.
How vulnerable is my phone?
The good news is that the mobile phone developers have been working on the issue and phones are more secure now. As you’ve undoubtedly noticed, Apple devices like your iPhone and your iPad now give you the “Trust this computer?” dialog whenever you plug your phone into a new computer or device. In theory, if you say, “don’t trust,” whichever device you are connecting to shouldn’t have access to your data. Android phones also have similar security and authentication features.
If you are plugging into a charging station that is truly just for power only (like when you plug into the wall with your AC adapter), then you shouldn’t be prompted to “Trust this computer.” If you do plug into a public charging station and get that prompt, it’s a big red flag. Unplug your phone ASAP and let those around you know something isn’t right.
What can I do to prevent juice jacking?
Okay, the title of this post may have been a bit extreme. There are ways to safely charge your phone in public.
Just because theoretical attacks can be launched over a hijacked public charging station doesn’t mean you have to forgo the convenience. In addition to keeping an eye out for the “Trust this computer?” prompt, there are a few other safety measures you can take. And as with any security concern, it’s always best to have layers of protection—clever hackers may be able to circumvent the trusted device authentication measures.
- Bring your own charger. Toss a power supply or AC adapter into your purse or briefcase and use that instead. Since it’s your device, you can be sure that you’ll only be getting power out of it. Plus, you can plug into any AC outlet you want, making it even more convenient.
- Get a power-only USB cable. On a USB connector, there are certain pins that transmit power, and there are certain pins that transmit data. In the pinout diagram below, pins 3 and 2 are for data. Pin 1 is for 5 Vdc power.
That means you can buy a special USB cable that simply doesn’t have pinout connections for pins 3 and 2. Therefore it’s impossible to transmit data across it. For example, here’s a PortaPow power-only iPhone charging cable for about $7. The same company makes a micro USB cable for charging only that will work on Samsung, HTC, and Google phones. These cables will only charge your phone and will prevent data from being transferred across it.
- Use a USB condom. Wait, what? Yes, that’s really what they call it. A company called Syncstop makes a device that goes between your normal data charging cable and a USB port and blocks data from being transmitted. Compared to a power-only cable, it’s really about the same price. You can get the original USB condom on Amazon for about $7. Syncstop also sells cased Syncstop devices in bulk on their website. You can get them laser-engraved for your company or as a techy promotional swag.
PortaPow sells their own take on a USB condom for about the same price: the PortaPow Fast Charge + Data Block USB Adaptor with SmartCharge Chip.
- Get a portable power bank. This option is slightly pricier than all of the above options but way more convenient. A power bank is basically a rechargeable battery with a USB plug in it. That way, you can plug in wherever you are without being chained to the wall. I got one of these for free as a five year service anniversary gift from the cubicle farm, but you can buy portable power banks online for about $15 to $30 (depending on capacity).
There you have it. Juice jacking is real. But if you are careful, you can significantly reduce your vulnerability. Not only that, some of the solutions—like a fast charging cable or a portable power bank—come in handy for reasons other than device security.
Have you ever worried about the safety of public charging stations until now? Tell us what you do to stay safely charged up on-the-go in the comments below.
USB pinout diagram image credit:
By Simon Eugster – Simon / ?! 19:02, 7 January 2008 (UTC) (Own painting/graphic) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/) or CC BY-SA 2.5-2.0-1.0 (http://creativecommons.org/licenses/by-sa/2.5-2.0-1.0)], via Wikimedia Commons