Dubai: Should you trust public phone charging stations?
A warning on “juice jacking” has been going around on whatsapp, warning residents to be wary of charging their phones in public kiosks and risking their phones being hacked.
Juice jacking happens when data is stolen from a mobile device via a charging unit. The warning cites public phone charging stations as the main culprit and urges residents to steer clear of them.
Charging smartphones more than once a day has become a norm these days. In the absence of a power bank, a resident who’s out in a mall or in a park may choose to plug into public charging stations.
- Mohammad Ameen Hasbini | Senior security researcher, Kaspersky Labs
Mohammad Ameen Hasbini, Senior Security Researcher, Global Research and Analysis Team at Kaspersky Lab, said there had been reports of juice jacking in the past but there’s not much data currently on whether or not it is recurring.
“There were multiple malicious charger incidents that were reported since 2013 and that affected both IOS and Android devices. These chargers do not have any special design and look as innocent as a normal charger, and are also easy to ship globally mainly because their malicious circuitry can only be detected after a manual hands-on exercise,” Hasbini told Gulf News.
Nicolai Solling, Chief Technology Officer at Help AG, said this old and well-known attack is mostly a problem for older versions of smartphones as well as rooted or altered versions of the software.
“Users have to be relatively lenient to actually enable access to their devices’ data-port today, but of course it can be done and, if successful, the attack can be very invasive,” Solling told Gulf News.
Although such attacks may be successful, it is logistically inefficient to deploy on a large-scale basis.
“The attack in itself is very efficient. However, it is expensive to deploy as the attacker will need to obtain the actual hardware, get it distributed and also install and maintain it — something that takes time and money and effort as well as leaving physical evidence behind that may track the attacker,” Solling explained.
“If we see an increase in juice jacking, it would actually be an indication to me that the vendors are doing better on software security and I don’t believe we are quite there yet. “Always remember that the economy of an attack is like any other business where you are going after the biggest outcome with the least costs,” he added.
Solling believes attackers in recent months and years are opting to use a software vulnerability or publishing a malicious software to the different applications stores. Still, it is better to be cautious, Solling said.
Hasbini said the other risk of connecting to public charging stations are power surges.
“Randomly placed public chargers are more risky, not only from a software perspective, but also from an electrical safety perspective [an electric surge can impact a mobile phone].”
HOW IT WORKS:
Juice jacking works by abusing the connectivity from the charger to the phone to activate additional functions that enable data transfer or malware installation on the mobile device, sometimes relying on weaknesses in the phone software itself.
If a charger is malicious, it could steal victim user data or infect its device with a malware that can do a lot of damage (e.g. steal data, contacts, pictures, passwords, track location, activate camera or microphone.)
HOW TO AVOID IT:
■ Only charge on chargers you trust, so bring one in your bag — you probably need it anyway.
■ If you are really in a pinch and need to charge on a charger you do not trust (like in a charge stand in an airport) then turn off your device — this will also turn off the data transfer capability of the device.
■ Finally with Qi Wireless charging, you have an option of charging not using your dataport, so if that is an option, use wireless charging.
■ Choose certain type of cables that could be used to charge and will not allow data to pass through. Other tools are USB devices that could be connected from both ends to the charging station and the mobile device, blocking any possible data transfer from happening.
