FBI & FCC warn on ‘juice jacking’ at public chargers, but what’s the risk?

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. “Avoid using free charging stations in airports, hotels, or shopping centers,” its tweet stated. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”

The sentiment was echoed in an FCC notice about the phenomenon — known as “juice jacking.” The Commission added that, “in some cases, criminals may have intentionally left cables plugged in at charging stations.” Also, “there have even been reports of infected cables being given away as promotional gifts.”

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

How Hackers Can Poison Charging Stations

“There are two different ways this happens,” says Pete Nicoletti, field CISO at Check Point Software. “There are the people that actually own those stations. If they’re looking for additional revenue, they might install malware on their charging stations.”

This isn’t the kind of scenario you’d run into at your local airport, though, he adds: “[That’s] going to be the bad actors that compromise a legitimate station.”

Ordinary outlets are immune, but USB ports in modern charging stations are different.

“There is some sort of computer or smart device behind these stations, connected to those USB charging outlets,” explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there’s a computer involved, the opportunity exists for back-and-forth data transfer.

“Imagine using a phone for charging,” Bestuzhev continues. “You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code.”

Were this to occur, the FCC says, hackers could “maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors.”

To read the complete article, visit Dark Reading.