SecureWorld News

FBI Warns Against 'Juice Jacking' at Public Charging Stations

Written by Cam Sivesind | Tue | Apr 11, 2023 | 4:42 PM Z

No charging station is safe, apparently, as the FBI is warning travelers looking to charge their devices in airports, hotels, and coffee shops that "juice jacking" is a thing—as bad actors are using public chargers and even free cables and charging plugs to infect phones and other devices with malware.

According to an FBI "Scams and Safety" brief, which also discusses system and data protection and protecting money information:

  • Be careful when connecting to a public Wi-Fi network and do not conduct any sensitive transactions, including purchases, when on a public network.
  • Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices that access these ports. Carry your own charger and USB cord and use an electrical outlet instead.

The U.S. Federal Communications Commission (FCC) issued a warning in fall 2021, titled "'Juice Jacking': The Dangers of Public USB Charging Stations," giving travelers notice before the busy holiday travel season.

"If your battery is running low, be aware that juicing up your electronic device at free USB port charging stations, such as those found near airport gates, in hotels and other travel-friendly locations, could have unfortunate consequences. You could become a victim of 'juice jacking,' a new cyber-theft tactic.

Cybersecurity experts have warned that criminals can load malware onto public USB charging stations to maliciously access electronic devices while they are being charged. Malware installed through a dirty USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can use that information to access online accounts or sell it to other bad actors."

Here are what some cybersecurity vendor experts are saying about the juice jacking news, including a couple who do not view the problem to be as bad as reported, and others considering the implications for electric vehicles (EV) charging stations:

JT Keating, SVP of Strategic Initiatives at Zimperium:

"Consumers should always be wary of free solutions purporting to be 'public' services. When hackers trick people into using their fake Wi-Fi networks and power stations, they can compromise devices, install malware/spyware and steal data. This trend will continue and evolve as more and more people connect to EV charging stations for their electric vehicles. By compromising an EV charging station, attackers can cause havoc by stealing payment information or by doing a variation of ransomware by disabling the stations and preventing charging."

Casey Ellis, Founder and CTO at Bugcrowd:

"Juice jacking is not terribly common, however, the combination of ease of exploitation and the impact makes it a risk that people should be mindful of. So, how do hackers infect public power stations? Typically, it's via replacement of an existing charging terminal with a trojan one, or even by installing a complete fake system where one did previously exist.

Consumers should remember that connections (whether physical, or virtual like in the case of Wi-Fi) exist to create access, and that access works on both directions. While they are enjoying a recharge, the possibility exists that the owner of the charging station is enjoying their data.

An EV isn't a personal computing device in the same way a phone or laptop is, so the privacy and security implications of compromise through a charging port are quite different. That said, the past five years of EV innovation has seen them evolve more and more towards being an extension of the user's digital life, so it's reasonable to expect that privacy and security concerns through EV charge ports will become a consideration in the future."

Bud Broomhead, CEO at Viakoo:

"Juice jacking isn't very common in general because using a remote charging facility is not something people do very often. However, if someone was a user of a charging system outside of their control, the warning issued by the FBI should cause them to change their behavior, as cases are on the rise.

Should consumers be cautious in general about using public facilities like charging stations and Wi-Fi connections? Yes. Any connection to a device (power, Wi-Fi, texts) can be used by threat actors to add malware, exfiltrate data, or be used as a phishing attack.

Modern vehicles contain a lot of digital data and will grow as a target for threat actors to exfiltrate that data. There have been hacks of GM's ONStar system, and even last week a successful hack of a Tesla Model 3 (providing root access) at the Pwn2Own Conference.

Threat actors are seeking both data and control; threat actors have shifted their focus over time from datacenters to the IoT/OT devices that are generating the actual data. By going to the source (such as cars, mobile phones, IoT/OT devices in general) threat actors can also plant deepfakes, manipulate data, and gain control over how devices function."

Andrew Barratt, Vice President at Coalfire:

"Based on the fairly limited data on this, it's hard to say for sure how common 'juice jacking' is. It's probably more likely to take place in areas that have persons of interest frequenting, i.e. politicians or intelligence agency workers. For a juice jacking attack to be effective, it would have to deliver a very sophisticated payload that can bypass common phone security measures. Frankly, I'd be more worried about the outlets being so heavily used that I'm more likely to damage my cord or the socket on the phone.

The proof of concepts that have demonstrated these kinds of attacks offer an 'overlay,' something that looks indistinguishable from a regular power outlet but hides some very small-scale microprocessor which could deliver a custom payload to a device.

EV charging stations have been a concern for a while, but the main consideration, following the money, is what could be used to either steal charge time or get free use from these outlets. Longer term, I suspect there is a concern that we will continue to see more attacks against these chargers as the world transitions to EV chargers. The same has always been true. When we had public payphones, there were attacks against them; there are regular attacks against ATMs and gas pumps. Anything where value is dispensable in an unattended environment, there is a payoff potential for a cyber-enabled thief to leverage.

With Wi-Fi networks, attackers are normally scraping traffic looking for credentials that they then take over social media, email which can then be used to move laterally into online banking or anything of material value that can be quickly monetized. With public power points, the cost is high to deliver, the chances of success are very low, and the likelihood of detection is very high. Particularly in airports or other mass transit environments where there are huge amounts of CCTV and security. The ability to go undetected and quickly place a rogue device becomes more and more challenging. If I was to speculate, I'd say that these kind of juice jacking devices are more likely to be used in very targeted scenarios, for either corporate espionage or state sponsored espionage."