The alert from the FBI is only the latest instance of government concern over what’s known as “juice jacking,” a cybercrime in which a hacker uses public USB ports to steal data, such as credit card numbers, or install malware on a user’s device. The term is said to date back to 2011, when researchers at DefCon created a charging kiosk that demonstrated the potential cybersecurity risks of such stations. Years later, in a world where our smartphones increasingly function as wallets, GPS, photo albums and an ever-running log of our personal communication and browsing history, accessing someone’s device can be practically as invasive as breaking into their home.
Ritesh Chugh, an associate professor and technology and society expert at Central Queensland University, wrote in an email that public charging docks are a “significant privacy hazard.” Research has shown that in less than 10 seconds, a malicious charging station can identify the web pages loaded on your phone’s browser, he wrote, while “as little as one minute of charging time may be adequate for compromising a user’s phone.”
Although it’s unclear how common these attacks are, and any instances of victimization have not been widely publicized, repeated warnings from security agencies worldwide “clearly indicate the persistent danger posed by this method of attack,” Chugh wrote. Officials have raised similar concerns in California, India and Nigeria. The FCC’s website cautions: “Don’t let a free USB charge wind up draining your bank account.”
Tony Coulson, executive director of the Cybersecurity Center at California State University at San Bernardino, says we should start thinking about phones like we think about credit cards. “You don’t just go anywhere and start plopping your debit card in,” he says.
He likens juice jacking to credit card skimming. Similar to magnetic strips on credit cards, which make them vulnerable to security threats, USB technology is old, Coulson said, and “doesn’t have a lot of safety built into it.” You can see that just by looking at a USB plug: There are four connectors inside; two are for power, and two are for data. “There’s no fail-safe in between, and once you’re plugged in — if data talks, then data talks,” he says.
If you have used public charging stations, experts say, look out for your phone losing battery life more quickly; a noticeable slowdown in its operations; overheating; settings being altered without your input; and unusually high data usage. If you think you’ve been affected, they recommend deleting any suspicious apps, installing anti-virus software, — and if you are really concerned, restoring the phone to its factory settings. You should also keep your phone software up to date.
To avoid being a victim in the first place, Coulson encourages adopting newer USB technology (such as USB C) or purchasing charging-only cables, which don’t allow data extraction. Wireless chargers are a more secure option, Chugh said, with instances of tampering on such devices “pretty much nonexistent.”
When you plug a smartphone into a USB port, it also might ask whether you trust the device you’ve connected to. That’s a signal that the USB could be doing more than just charging. Unless you’ve connected to your personal computer, you should say no, experts say.
If you’re in a hurry and in need of a USB port, check to see whether it has four or two connectors inside — many are manufactured with four, but if it has two, it is just for charging. “But that’s not a 100 percent rule,” Coulson cautions.
When it comes to his own device, “I only charge my phone with my own plug-in charger,” he says. “I’ve been doing that for years.”