Juice Jackers on prowl? Here's why you should not charge smartphone at USB charging port at the subway

The Los Angeles District Attorney has released a security alert warning travelers to avoid charging their phones and other devices using public USB plug-in stations because "they may contain dangerous malware"

smartphone sales in singapore
Representational picture: People buy the iPhone 8 at the Apple Orchard Shop in Singapore September 22, 2017 Edgar Su/Reuters

Ever heard of the term "Juice Jacking?" Well, that's a loose term used to describe the act of delivering malicious software onto a phone while it's charging. It sure sounds a little hard to believe, but that's exactly what cybercriminals might be doing and they could be using public USB charging ports to carry out the act.

The Los Angeles District Attorney recently released a security alert warning travelers to avoid charging their phones and other devices using public USB plug-in stations because "they may contain dangerous malware." One may not take the security advisory that serious since most of us at some point of time have no other option but to charge our phones at airports, hotels, subways or cafeterias among others.

However, as per the advisory titled "USB Charging Scam," the so-called "juice-jacking" attack involves cybercriminals loading malware "on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users." It further warns, "the malware may lock the device or export data and passwords directly to the scammers."

The USB, or Universal Serial Bus, has become the standard for charging phones and data transfer but of late security researchers have found that the same USB can be used to deliver malicious payloads onto users phones, not only while they are transferring data but also while doing something as basic as charging their phones. What's worse is that cybercriminals are well aware of this "loophole" and could be using this method to install malware and hack devices.

These cybercriminals use specialized devices that look just like any ordinary USB charging adapter, but have the capacity to deploy malware onto the device that it is "supposedly" charging. A notable example of such a device is Mactans, a concept proof which was unveiled at the Black Hat Security conference way back in 2013. The idea of disguised "juice-jackers" has improved further over the years.

Why should you be concerned?

According to a TechRadar report, pluggable USB wall chargers are most susceptible to a "juice-jacking" attack since the scammers could easily "leave behind" a malicious charger at public places such as hotels and airports. However, they now also have the capability to load malware onto public USB charging stations. Not just that, the criminals can also leave behind infected USB cables in the same way that they leave a charger.

So one must be aware that not just the USB wall charger but the USB cable too could be carrying malicious payloads. One such cable is the O.MG Cable which was showcased at this year's DefCon cybersecurity conference.

Meanwhile, "juice-jacking" may not be as common as you may have thought as there are hardly any such cases on the books. Security researcher Kevin Beaumont also tweeted that he hasn't seen "any evidence of malware being used in the wild on these things." Juice-jacking is simply too complicated a way to attack a user when there are far more easier methods that cybercriminals could make use of.

However, the idea of your data being stolen by a scammer from something as simple as putting your phone to charge doesn't seem too far-fetched, since we have seen numerous efforts that demonstrate the possibility of such attacks in the past.

To recollect, a security researcher by name Samy Kamkar created an Arduino-based device called KeySweeper in 2016. The KeySweeper resembled a USB wall charger and even supplied charge to a smartphone, but it also used a wireless connection to decrypt and log all keystrokes form any wireless Microsoft keyboards within its range.

How to avoid being "juice-jacked"

Cybersecurity experts and the LA officials suggest using an AC power outlet instead of a USB charging station for charging smartphones and other devices to avoid falling victim to a "juice jacking" attack. Another way to safeguard yourself would be to carry your own charger while travelling. While, "juice-jacking" may seem a thing straight out of a sci-fi movie, it's always good to be cautious because you never know when or how you might get scammed.