Is ‘Juice-Jacking’ via Public USB Ports a Real Security Threat?

While "juice-jacking" is technically possible, the criminal practice doesn't appear to be widespread. 

  • Published 18 November 2019

Claim

People should avoid plugging their phones into a public USB port due to a security threat called "juice-jacking."

Rating

What's True

"Juice-jacking" is a real security threat. The Los Angeles District Attorney's Office issued an advisory to travelers in November 2019 warning them of the potential dangers of using public USB ports.

What's False

While it is technically possible for crooks to steal information or install malware via public USB ports, this practice doesn't appear to be widespread.

Origin

On Nov. 8, 2019, the Los Angeles County District Attorney’s Office published an advisory that warned travelers about “juice-jacking,” the practice of stealing information from or installing malware on phones while they are plugged into publicly accessible USB ports:

Travelers should avoid using public USB power charging stations in airports, hotels and other locations because they may contain dangerous malware.

In the USB Charger Scam, often called “juice jacking,” criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users.

The malware may lock the device or export data and passwords directly to the scammer.

TIPS:

  • Use an AC power outlet, not a USB charging station.
  • Take AC and car chargers for your devices when traveling.
  • Consider buying a portable charger for emergencies.

Juice-jacking is a real security threat, and travelers should certainly take note of these tips from the Los Angeles County District Attorney’s Office. However, this security threat was not new in November 2019, and safety features have been added to iOS and Android operating systems in order to combat this sort of crime. Furthermore, little evidence exists that juice jacking is a widespread problem.

A USB cable has the capability of supplying power to a device, but it can also be used to transfer data. While this might be obvious when you are connecting your phone to another device (such as a laptop), data might not be the first thing you think of when plugging your phone into a USB-wall outlet. But security experts (and potentially criminals) have developed ways to turn these power outlets into data-transfer ports. 

Zdnet reported

USB connections were designed to work as both data and power transfer mediums, with no strict barrier between the two. As smartphones became more popular in the past decade, security researchers figured out they could abuse USB connections that a user might think was only transferring electrical power to hide and deliver secret data payloads.

This type of attack received its own name, as “juice jacking.”

While it is technically possible to turn a public USB-wall port into a malicious, data-transferring outlet, the criminal practice of juice-jacking doesn’t appear to be widespread. 

In fact, when Tech Crunch followed up with the Los Angeles County District Attorney’s Office to ask about reports from people whose data had been stolen this way, the office reported it had “no cases” of juice-jacking on its books:

Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”

But the county’s chief prosecutor’s office told TechCrunch that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast. When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”

It should also be noted that both Android and iOS have incorporated features to prevent juice-jacking since this security threat first came to light circa 2011. On most modern phones, users will now see a pop-up alert if they are using a USB port that is capable of transferring data, instead of just power. 

To sum up: Juice-jacking is a genuine security threat, and the LA County District Attorney’s Office did issue an advisory in November 2019 warning travelers against using public USB ports. However, while it’s technically possible to juice-jack a phone, this is not a widespread criminal activity. 

Snopes.com
Since 1994
A Word to Our Loyal Readers

Support Snopes and make a difference for readers everywhere.

Editorial
  • David Mikkelson
  • Doreen Marchionni
  • David Emery
  • Bond Huberman
  • Jordan Liles
  • Alex Kasprak
  • Dan Evon
  • Dan MacGuill
  • Bethania Palma
  • Liz Donaldson
Operations
  • Vinny Green
  • Ryan Miller
  • Chris Reilly
  • Chad Ort
  • Elyssa Young

Most Snopes assignments begin when readers ask us, “Is this true?” Those tips launch our fact-checkers on sprints across a vast range of political, scientific, legal, historical, and visual information. We investigate as thoroughly and quickly as possible and relay what we learn. Then another question arrives, and the race starts again.

We do this work every day at no cost to you, but it is far from free to produce, and we cannot afford to slow down. To ensure Snopes endures — and grows to serve more readers — we need a different kind of tip: We need your financial support.

Support Snopes so we continue to pursue the facts — for you and anyone searching for answers.

Team Snopes