fast international shipping
ISO 9001/27001 Corporate certification
Manufacturer certified experts for your project-
fast international shippingISO 9001/27001 Corporate certificationManufacturer certified experts for your project
Professional services for data security
The FBI and FCC recently warned that criminals are using public USB ports to place malware and surveillance devices on devices. Sophos expert Paul Ducklin has tested several smartphones and offers security tips.
If you've never heard the cybersecurity buzzword "juicejacking," don't panic. The term caught on in the early 2010s, yet it still plays a role in everyday smartphone life - and has recently attracted a surprising amount of new attention, including from the FBI, due to its constant warnings. First, let's start with a brief explanation of the concept: people on the go, especially in airports where their phone chargers are tucked deep in carry-on luggage or already stuck in the hold of an airplane, often worry about charging the battery. The specter of the dead battery, which has haunted us since the advent of cell phones, still haunts the world of smartphones, and despite power adapters and the like, people take every opportunity to recharge their batteries, especially when traveling - just in case there's no chance of doing so in the near future.
What happens behind your back
This is where juicehacking criminals come in. Smartphones are usually charged using a USB cable specifically designed for power and data transfer. What if there is a computer on the other side of the charging station that not only delivers 5 volts of DC power, but also tries to interact with the phone behind your back? Simple answer: you can't be sure. For this reason, both Apple and Google have long implemented default settings that eliminate the element of surprise by displaying a security prompt when connecting to an unknown device and asking if you should trust it. Aside from the fact that a user can still be tricked into trusting a new device, it is theoretically impossible to get data behind the owner's back unless the owner takes action.
Given recent warnings from the FBI and FCC, it is therefore somewhat surprising that criminals are using public USB ports to inject malware and surveillance software into devices. For the avoidance of doubt, you should use your own charger whenever possible and not rely on unknown USB cables or ports. If only because no one can know how safe and reliable the voltage converter in the charging circuit is.
How safe is the data?
But what about the risk of private information being surreptitiously sucked in by a charger that doubles as a host computer and attempts to control a connected device without permission? Do the security enhancements introduced in the wake of the Mactans juicejacking tool in 2011 still hold?
Sophos expert Paul Ducklin has tested this, and based on connecting an iPhone (iOS 16) and a Google Pixel (Android 13) to a Mac (macOS 13 Ventura) and a Windows 11 laptop (2022H2 build), he concludes that yes, the queries still serve their purpose. First, no phone automatically connects to macOS or Windows the first time it connects, regardless of whether it is locked or unlocked. In addition, a confirmation popup clearly indicates that a third-party device wants access, which must be actively confirmed.
However, since the devil is in the details, smartphone owners can play it safe despite these fine security barriers.
Here's what you should watch out for: