When your phone battery’s in the red zone with quickly depleting power reserves, spotting a free charging station can feel like encountering a lush oasis in the blistering desert heat.
However, people should be wary of using public ports to charge their devices. A new variation of an old cyber attack, called juice jacking, could sneak malware onto your device while it’s plugged in.
From juice jacking to ChoiceJacking
Coined by influential security writer Brian Krebs in 2011, juice jacking is a theoretical cyber attack which uses infected USB ports to hijack or spread malware to user devices.
These corrupted ports could lock devices or send passwords straight to a cybercriminal as they’re entered. The attack is a bit like the card skimmers slipped surreptitiously into cash machines, which are designed to steal user PIN numbers.
Although there are yet to be any documented cases of juice jacking, there’s continued debate about the seriousness of the threat and security researchers have demonstrated they are viable.
In 2012, US intelligence agency, the National Security Agency (NSA), issued warnings to their operatives to remain vigilant. More recently, the FBI published a warning in 2023, although critics again pointed out that there had been no evidence of cyber attackers using the technique.
Apple and Google have also built defences into the back end of their devices, plus introduced warning pop-up messages when a new USB device is plugged into one of their smartphones.
But, researchers at Austria’s Graz University of Technology have figured out how to swerve these counter-measures – and use a new variation on juice jacking, that they call ChoiceJacking, to steal user data from iOS and Android devices.
What is ChoiceJacking and how does it work?
The researchers exploited the countermeasures intended for juice jacking by infecting a charger to prompt the device into opening a data connection. Then, they exploited security holes in Android and iOS to create what they call ‘input events’ – in other words, simulating user input on a device.
This allowed the researchers to remotely confirm that they did want to open a data connection when the warning prompt appeared.
By using this method, the team were able to gain access to sensitive user files on devices from the top-six most popular smartphone vendors. They were also able to gain access to files from two devices even though they were locked.
However, the researchers informed Apple and Google along with device manufacturers, most of which confirmed receipt and have begun work on mitigations to prevent this type of attack.
The research demonstrates the potential security issues around using publicly available hardware and that attacks thought no longer a risk can evolve and create new threats.
When your phone battery’s in the red zone with quickly depleting power reserves, spotting a free charging station can feel like encountering a lush oasis in the blistering desert heat.
However, people should be wary of using public ports to charge their devices. A new variation of an old cyber attack, called juice jacking, could sneak malware onto your device while it's plugged in.