There are many ways hackers can try and steal your data. But here is a hidden threat in many devices and it’s not the one most people think of. One emerging risk is developing from the use of cables and USB ports in public charging stations seen in many airports, malls or public places. How this happens dep
The FBI and the FCC has recently published a warning from their twitter page concerning this issue. “Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver office warned. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”(1) The FCC echoed these sentiments warning of potential hacks using public devices and to use your own.(2)
Charger hacking, or juice jacking, is the theoretical process of using charging cables to hack into devices. Often these attacks target phones as they are a lot easier to find a way in then normal laptops. Whether you use an Android, Google phone or an iphone, most devices use a form of USB cable to connect with the chargers. While they are universal, allowing for public spaces to utilize them in designated charging stations in public. When you are using these chargers, you get a prompt to “trust” this device before your allowed to use the charger.
This protocol to get your devices to trust the charger is how hackers can get you. With the universal adapter plug being a thing, hackers can easily mimic the charger abilities. And much like a USB on the ground, many unsuspecting people will grab it and use it to charge their phones. But these bugged wires once they get permission, are free to access their phones from a remote source, completely hidden behind the screen of your phone.
This idea might be a new thing in mainstream but something like this has been speculated for years. At the 2011 DEFCON conference in Las Vegas, Aires Security Reps, including then President Brian Markus and researchers Joseph Mlodzianowski and Robert Rowley built a charging station in the conference itself to show how simple it was for phones at the time. When asked, Markus had this to say, “We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data. Anyone who had an inclination could put a system inside of one of these kiosks that when someone connects their phone can suck down all the photos and data or write malware to the device.” (3) After this conference, many of the cell phone brands quickly adapted their chargers to not automatically accept public chargers, instead prompting them to ask if they trust the device, something that carried over into other chargers like laptops.
Fast forward to 2023, the environment has changed drastically and so has the complexity of the attacks. The cables used to charge phones are more uniform and easier to mimic. One of these is the so called “OMG” cable, used by professional penetration testers that looks like an Android or Apple charger. They have a wifi signal built in and allows hackers to get into your phone remotely with prices under $200. (4)That in of itself is bad, but what makes it worse is that phones are used as Dual factor authentication devices. All they need to do is to trick a website to send you a 2FA request and without thinking you give them access to their account. The idea someone can just walk into your website through your phone is frightening.
Phones and chargers are part of everyday life. But with these new warnings, one should be wary of public charging spots. Use the plug you were given with your phone and never open links on your cell phone
