Two federal agencies issued warnings about USB-based charging attacks, where hackers inject malware or siphon data from devices of unsuspecting consumers looking to charge their phone, computer or gadget on the go.
Via its' Twitter account, the Denver FBI tweeted the public service announcement warning readers to avoid using the free charging stations at airports, hotels and shopping centers. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.”
The FBI tweet recommended consumers carry their own chargers and USB chords, and to instead use an electrical outlet.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T— FBI Denver (@FBIDenver) April 6, 2023
A second warning came from the Federal Communications Commission that also warned travelers of the same dangers of plugging their devices into free USB port charging stations, a term it referred to as “juice jacking.”
“Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors,” the April 11 post stated.
The FCC went on to say that criminals have intentionally left cables plugged in at charging stations, and have been known to give away infected cables as promotional gifts.
Andy Thompson, a researcher for identity management firm CyberArk, said he was first introduced to juice jacking in 2011 at Defcon, where it was presented more as a proof of concept than a viable attack method. Thompson said the attack method happens very rarely — if at all — in the wild, but added that juice jacking could be mitigated by using USB Data Blockers or using your own charging cables.
Juice jacking has become less theoretical with the commercialization and abuse of penetration testing tools such as Rubber Ducky that market themselves as "a (USB) flash drive that types keystroke injection payloads into unsuspecting computers at incredible speeds." It adds, "To a human it's a flash drive. To a computer it's a keyboard, typing at superhuman speeds."
The FCC recommends using AC power outlet instead of charging stations and to use your own USB cables and portable charger when traveling. It adds, if you are prompted to select "share data" or “charge only” when you plug in your device, always select “charge only.”
Another option is to use a data-blocking USB charging dongle that are designed to limit connections to charging only.