FBI warns of juice jacking at public charge stations

Business travel can be hectic enough with layovers, car rentals and baggage claims without the added headache of a cell phone with a low battery. That’s why so many travelers eagerly take advantage of the public charging ports available at airports and hotel lobbies. However, these charging stations could be utilized as yet another cyber theft tactic.

A recent tweet by the FBI has brought new attention to the Federal Communications Commission’s (FCC) previously released guidance noting the potential dangers of “juice jacking”. According to the FCC, bad actors can load malware onto public USB charging stations to maliciously access electronic devices while being charged.

The malware installed through a corrupted USB could lock a device or export personal data and passwords which can then be used to access online accounts.

“In some cases, criminals may have intentionally left cables plugged in at charging stations,” the FCC site states. “There have even been reports of infected cables being given away as promotional gifts.”

Senior Product Manager at OPSWAT, Matt Wiseman, said the recent warning serves as an important reminder, for consumers and businesses, of how important it is to not plug in any sort of portable media or USB without first checking and validating it, including cellphones.

“As business travel rises to pre-COVID rates again, it is especially important for companies to remind employees about the security risks of inserting or plugging in any type of portable media or connected cables — especially when corporate data and devices are involved,” Wiseman said.

Wiseman offered the following best practices that companies can do to mitigate risks that portable media pose:

Security awareness: Malicious actors can weaponize USB charging cables, so using an unknown cable can put devices at risk. People can also tamper with the internals of the USB and implant devices that can work to distribute malware. USB Data Blockers are a great way to charge devices by only allowing power through. It is always best to be aware of where hardware devices have come from and who has had access to them.
Control and limit the types of portable media that are permitted. USB storage media and USB cables can be a common, everyday item, but they pose a major security risk. By controlling and limiting the types of connected portable media, businesses can reduce the risk of portable media threats. For organizations that rely on portable media or cables to transfer data, it is best to invest in a security solution that can scan, validate and secure the content being transferred. Security leaders need to ensure that the media itself is free from malware, while also checking the device for any sort of threats as well.

The FCC also offers the following tips to consumers and business travelers to prevent potential juice jacking:

Avoid using public USB charging stations. Instead, use an AC power outlet.
Bring personal AC, car chargers and USB cables to use when traveling.
Carry a portable charger or external battery.
Carry a charging-only cable, which prevents data from sending or receiving while charging, from a trusted supplier.
If, when plugged into a USB port, a prompt appears asking to select "share data" or “charge only,” always select “charge only.”

Andrew Barratt, Vice President at Coalfire, said that based on the fairly limited data on the issue — it’s hard to say for sure how common juice jacking is.

“It’s probably more likely to take place in areas that have persons of interest frequenting, i.e. politicians or intelligence agency workers,” Barratt said. “For a juice jacking attack to be effective it would have to deliver a very sophisticated payload that can by-pass common phone security measures. Frankly I’d be more worried about the outlets being so heavily used that I’m more likely to damage my cord or the socket on the phone.”

Rachelle Blair-Frasier is Security magazine’s Editor in Chief. Blair-Frasier handles eMagazine features, as well as writes and publishes online news and web exclusives on topics including physical security, risk management, cybersecurity and emerging industry trends. She helps coordinate multimedia content and manages Security magazine's social media presence, in addition to working with security leaders to publish industry insights. Blair-Frasier brings more than 15 years of journalism and B2B writing and editorial experience to the role.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.