These days, airports, fast-food restaurants, and even buses have USB charging stations. But are these public ports safe? If you use one, could your phone or tablet be hacked? We checked it out!
Some Experts Have Sounded the Alarm
Some experts think you should be concerned if you’ve used a public USB charging station. Earlier this year, researchers from IBM’s elite penetration testing team, X-Force Red, issued dire warnings about the risks associated with public charging stations.
“Plugging into a public USB port is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth,” said Caleb Barlow, the vice president of threat intelligence at X-Force Red. “You have no idea where that thing has been.”
Barlow points out that USB ports don’t merely convey power, they also transfer data between devices.
Modern devices put you in control. They aren’t supposed to accept data from a USB port without your permission—that’s why the “Trust This Computer?” prompt exists on iPhones. However, a security hole offers a way around this protection. That’s not true if you simply plug a trusted power brick into a standard electrical port. With a public USB port, though, you rely on a connection that can carry data.
With a bit of technological cunning, it’s possible to weaponize a USB port and push malware to a connected phone. This is particularly true if the device runs Android or an older version of iOS, and therefore, is behind on its security updates.
It all sounds scary, but are these warnings based on real-life concerns? I dug deeper to find out.
From Theory to Practice
So, are USB-based attacks against mobile devices purely theoretical? The answer is an unambiguous no.
Security researchers have long regarded charging stations as a potential attack vector. In 2011, veteran infosec journalist, Brian Krebs, even coined the term “juice jacking” to describe exploits that take advantage of it. As mobile devices have inched toward mass-adoption, many researchers have focused on this one facet.
In 2011, the Wall of Sheep, a fringe event at the Defcon security conference, deployed charging booths that, when used, created a pop-up on the device that warned about the dangers of plugging into untrusted devices.
Two years later, at the Blackhat USA event, researchers from Georgia Tech demonstrated a tool that could masquerade as a charging station and install malware on a device running the then-latest version of iOS.
I could continue, but you get the idea. The most pertinent question is whether the discovery of “Juice Jacking” has translated into real-world attacks. This is where things get a bit murky.
Understanding the Risk
Despite “juice jacking” being a popular area of focus for security researchers, there are scarcely any documented examples of attackers weaponizing the approach. Most of the media coverage focuses on proofs-of-concept from researchers who work for institutions, like universities and information security firms. Most likely, this is because it’s inherently difficult to weaponize a public charging station.
To hack a public charging station, the attacker would have to obtain specific hardware (such as a miniature computer to deploy malware) and install it without getting caught. Try doing that in a busy international airport, where passengers are under intense scrutiny, and security confiscates tools, like screwdrivers, at check-in. The cost and risk make juice jacking fundamentally ill-suited for attacks aimed at the general public.
There’s also the argument that these attacks are relatively inefficient. They can only infect devices that are plugged into a charging socket. Furthermore, they often rely on security holes that mobile operating system manufacturers, like Apple and Google, regularly patch.
Realistically, if a hacker tampers with a public charging station, it’s likely part of a targeted attack against a high-value individual, not a commuter who needs to nab a few battery percentage points on her way to work.
It’s not the intent of this article to downplay the security risks posed by mobile devices. Smartphones are sometimes used to spread malware. There have also been cases of phones being infected while connected to a computer that harbors malicious software.
In a 2016 Reuters article, Mikko Hypponen, who is effectively the public face of F-Secure, described a particularly pernicious strain of Android malware that impacted a European aircraft manufacturer.
“Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit,” the article stated.
“Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.”
You buy home insurance not because you expect your house to burn down, but because you have to plan for the worst-case scenario. Similarly, you should take sensible precautions when you use computer charging stations. Whenever possible, use a standard wall socket, rather than a USB port. Otherwise, consider charging a portable battery, rather than your device. You can also connect a portable battery and charge your phone from it as it charges. In other words, whenever possible, avoid connecting your phone directly to any public USB ports.
Even though there’s little documented risk, it’s always better to be safe than sorry. As a general rule, avoid plugging your stuff into USB ports you don’t trust.