What the Hack Is Juice Jacking?
I am very much that friend who walks into your house, gives you a hug and immediately asks, “Hey can I ch—?” You already know. I’m asking to charge my phone. To say I’m neurotic about keeping my phone charged is being kind, to me, a person who breaks into a flop sweat when my phone battery dips below 50%. If I see a charger in the wild? I’m gonna use it. I won’t even think twice. It’s survival. My entire life is on that phone.
So imagine my surprise when I got a concerned gasp from a friend as I plugged my phone into an open USB plug at a coffee shop. “You know they can get your info when you do that, right?” They can do what? Who’s they? “Thieves. I read about it. You plug your phone into a public USB thing and they can steal your info.” I thought he was joking, but not only was it not really a good joke, he wasn’t.
“Juice” (or USB) jacking happens when your electronic device is hijacked by malware installed by a malicious device that’s masquerading as a charging device (i.e. the juice). You go to charge your phone and your card ends up fraudulently charged. An off-brand charging cable you found, a USB charging port in an airport or a hotel room, a portable power bank you get in a swag bag—turns out, there are a lot of ways you can end up juice jacked. If “juice jacking” sounds a little too-silly-to-be-real, I kind of agree. It has the same ring of hoaxiness as “toothing” and “jenkem”—both internet-based hoaxes based on TV shows and widespread rumors, that also somehow sound like they could be wellness trends featured on Gwyneth Paltrow’s The Goop Lab.
noun \joos jak-iŋ\
a type of cyber attack that uses a USB charging port to infect phones with malware to potentially steal data or lock the device
It definitely sounds like something ripped from CSI: Cyber, but it turns out that getting juice jacked is very much a possibility. In 2011 a hacker collective called Wall of Sheep proved just how real juice jacking could be by setting up a charging station of their own design at the infamous hacking conference DEF CON. Think Punk’d meets a YouTube video that tells you how to fix your WiFi connection. When a smartphone was plugged into their faux charging station, the phone displayed this message: “You should not trust public kiosks with your smartphone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
Ha-ha! Now that’s just a little bit of hacker humor for you.
“2011 was so long ago. The iPhone still had a headphone jack! Surely iPhones are more secure now,” you’re thinking. And on some level, you’re correct! Both Android and Apple phones now ask you if you want to “trust this computer” when you’re plugging your phone into a new device. But if you’re desperate for a charge (and you probably are), that warning might not stop you.
“You know they can get your info when you do that, right?” They can do what? Who’s they?
In November 2019, the Los Angeles County District Attorney’s Office put out a warning video about juice jacking. “A free charge could end up draining your bank account,” wrote Luke Sisak, a deputy district attorney. The New York Times followed up on the LACDAO’s warning and noted that, “the growing ubiquity of USB charging ports in places like hotels, airports and public transportation has translated into an increased risk of falling victim to such scams.” Even the FCC put juice jacking on its fraud radar, reminding consumers that off-brand charging cables given out as promotional materials pose their own juice jacking risk.
Other than avoiding public charging all together, how do we avoid getting juice jacked? Get yourself a USB condom. While it sounds as fake as juice jacking does, a USB condom (seriously, even The New York Times called it that!) is an adaptor that attaches to your USB cable that prevents the transfer of data while still allowing power to flow through. “They essentially disable the data pin on the USB charger,” Carnegie Mellon University professor Vyas Sekar told the Times. “For less than five bucks you can buy it, and that can actually save you.” Disgusting and intriguing! (There’s also wireless charging, which seems to only exist at some Starbucks. If you’re lucky enough to have a phone/device that charges wirelessly, do that! The rest of us will be over here looking for an outlet.)
Remember, as it stands now, there’s never been a reported case of juice jacking in the wild. But like all things we read about on the internet, that doesn’t mean it’s an impossibility. And until we’re all blessed with the ability to either send text messages with just our brains, or buy phones that never run out of battery, it’s better to be safe than sorry and carry your own dang charging device. What might be the only thing more frustrating than getting juice jacked? Being the first documented case of it.
Looking for more info?
Visit our online safety hub for the latest breach report and a complete guide to staying secure on the internet.