How dangerous is smartphone charging at public stations?
Sophos Cybersecurity, IT-Security, Smartphone
Professional services for data security
The FBI and FCC recently warned that criminals are using public USB ports to place malware and surveillance devices on devices. Sophos expert Paul Ducklin has tested several smartphones and offers security tips.
If you've never heard the cybersecurity buzzword "juicejacking," don't panic. The term caught on in the early 2010s, yet it still plays a role in everyday smartphone life - and has recently attracted a surprising amount of new attention, including from the FBI, due to its constant warnings. First, let's start with a brief explanation of the concept: people on the go, especially in airports where their phone chargers are tucked deep in carry-on luggage or already stuck in the hold of an airplane, often worry about charging the battery. The specter of the dead battery, which has haunted us since the advent of cell phones, still haunts the world of smartphones, and despite power adapters and the like, people take every opportunity to recharge their batteries, especially when traveling - just in case there's no chance of doing so in the near future.
What happens behind your back
This is where juicehacking criminals come in. Smartphones are usually charged using a USB cable specifically designed for power and data transfer. What if there is a computer on the other side of the charging station that not only delivers 5 volts of DC power, but also tries to interact with the phone behind your back? Simple answer: you can't be sure. For this reason, both Apple and Google have long implemented default settings that eliminate the element of surprise by displaying a security prompt when connecting to an unknown device and asking if you should trust it. Aside from the fact that a user can still be tricked into trusting a new device, it is theoretically impossible to get data behind the owner's back unless the owner takes action.
Given recent warnings from the FBI and FCC, it is therefore somewhat surprising that criminals are using public USB ports to inject malware and surveillance software into devices. For the avoidance of doubt, you should use your own charger whenever possible and not rely on unknown USB cables or ports. If only because no one can know how safe and reliable the voltage converter in the charging circuit is.
How safe is the data?
But what about the risk of private information being surreptitiously sucked in by a charger that doubles as a host computer and attempts to control a connected device without permission? Do the security enhancements introduced in the wake of the Mactans juicejacking tool in 2011 still hold?
Sophos expert Paul Ducklin has tested this, and based on connecting an iPhone (iOS 16) and a Google Pixel (Android 13) to a Mac (macOS 13 Ventura) and a Windows 11 laptop (2022H2 build), he concludes that yes, the queries still serve their purpose. First, no phone automatically connects to macOS or Windows the first time it connects, regardless of whether it is locked or unlocked. In addition, a confirmation popup clearly indicates that a third-party device wants access, which must be actively confirmed.
However, since the devil is in the details, smartphone owners can play it safe despite these fine security barriers.
Here's what you should watch out for:
If possible, avoid plugging in unfamiliar plugs or charging cables. Even a well-configured charging station may not provide the desired power quality and voltage regulation. Also, avoid cheap wall chargers or charging through your own laptop.
Lock or turn off your phone before plugging it into a public charger or someone else's computer. This minimizes the risk of accidentally exposing maliciously active files. This will also ensure that the device is locked if it is stolen from a multi-user charging station.
If you own an iPhone, you may not trust all devices. This ensures that previously trusted devices that you may have accidentally set up on a previous trip are not forgotten.
- Consider purchasing a USB cable or adapter plug for power only. Data-less USB-A plugs are easy to spot because they have only two metal electrical connectors inside the case on the outer edges of the socket, instead of four across the entire width. Note that the internal connectors are not always immediately visible, as they do not extend to the edge of the socket, so the power connectors make contact first.