On Nov. 8, 2019, the Los Angeles County District Attorney’s Office published an advisory that warned travelers about “juice-jacking,” the practice of stealing information from or installing malware on phones while they are plugged into publicly accessible USB ports:
Travelers should avoid using public USB power charging stations in airports, hotels and other locations because they may contain dangerous malware.
In the USB Charger Scam, often called “juice jacking,” criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users.
The malware may lock the device or export data and passwords directly to the scammer.
- Use an AC power outlet, not a USB charging station.
- Take AC and car chargers for your devices when traveling.
- Consider buying a portable charger for emergencies.
Juice-jacking is a real security threat, and travelers should certainly take note of these tips from the Los Angeles County District Attorney’s Office. However, this security threat was not new in November 2019, and safety features have been added to iOS and Android operating systems in order to combat this sort of crime. Furthermore, little evidence exists that juice jacking is a widespread problem.
A USB cable has the capability of supplying power to a device, but it can also be used to transfer data. While this might be obvious when you are connecting your phone to another device (such as a laptop), data might not be the first thing you think of when plugging your phone into a USB-wall outlet. But security experts (and potentially criminals) have developed ways to turn these power outlets into data-transfer ports.
USB connections were designed to work as both data and power transfer mediums, with no strict barrier between the two. As smartphones became more popular in the past decade, security researchers figured out they could abuse USB connections that a user might think was only transferring electrical power to hide and deliver secret data payloads.
This type of attack received its own name, as “juice jacking.”
While it is technically possible to turn a public USB-wall port into a malicious, data-transferring outlet, the criminal practice of juice-jacking doesn’t appear to be widespread.
In fact, when Tech Crunch followed up with the Los Angeles County District Attorney’s Office to ask about reports from people whose data had been stolen this way, the office reported it had “no cases” of juice-jacking on its books:
Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”
But the county’s chief prosecutor’s office told TechCrunch that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast. When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”
It should also be noted that both Android and iOS have incorporated features to prevent juice-jacking since this security threat first came to light circa 2011. On most modern phones, users will now see a pop-up alert if they are using a USB port that is capable of transferring data, instead of just power.
To sum up: Juice-jacking is a genuine security threat, and the LA County District Attorney’s Office did issue an advisory in November 2019 warning travelers against using public USB ports. However, while it’s technically possible to juice-jack a phone, this is not a widespread criminal activity.