Over the past four years, I spent a lot of time working to help non-technical people in the US Democratic ecosystem secure their digital lives. One of the main outputs of that effort was the DNC Security Checklist, a short list of steps that help prevent the attacks we saw in the wild. You can download the (non-political) checklist here: https://democrats.org/security (Complete it and send it to two friends today. Better still, sit down and help them in real time!)
We were able to get a large number of people in the ecosystem to complete the checklist. But not everyone did, and sadly we had to help some people who were compromised. One fact stands out: Over the past four years none of the people we saw compromised had completed our checklist. People who completed the checklist were spared because the checklist avoids esoteric suggestions and instead it focuses on the basics. The basics, while not trivial to enact, offer powerful protection against the most common attacks.
People would sometimes ask me about things that were not on the checklist. One topic people brought up occasionally was “juice jacking”. Juice jacking is a class of attack against mobile devices that use the same (USB) cable for both charging and data transfer. The idea is that if you use a public charging station under the control of an attacker, like in a hotel or airport, the attacker could implant malware on your phone or to steal a copy of your photos, email, or address book.
It’s not surprising that people would ask about ways to prevent juice jacking because the warnings are everywhere. Over the past few years, we’ve seen warnings on morning news programs, in newspapers, from countless security experts, security vendors, and local and federal governments.
There’s only one problem with these warnings about juice jacking: There is no evidence it happens in the wild.
People have their accounts and devices compromised every second. There are many threats to your devices and accounts, but juice jacking is not one of them.
I call cybersecurity folklore like juice jacking “hacklore” for obvious reasons.
Dire warnings
When I say that warnings about juice jacking are everywhere, I mean everywhere.
On November 3, 2020, the FBI’s Portland office issued a statement that said “you should avoid using public USB power charging stations in airports, hotels, and other locations because they may contain dangerous malware”. That sounds like they have real evidence. However, they only cite the FCC as their source.
So what does the FCC warning say? Their warning (October 15, 2021) is titled ‘Juice Jacking’: The Dangers of Public USB Charging Stations. In it, they write “criminals can load malware onto public USB charging stations to maliciously access electronic devices while they are being charged” and that they can “export personal data and passwords directly to the perpetrator”. They, too, don’t cite any direct evidence. Instead, they cite a New York Times article as a source. (Do you see where this is going?)
So what does the Times article say? The New York Times article (November 18, 2019) was titled “Stop! Don’t Charge Your Phone This Way”. That article claims that:
Juice jacking happens when unsuspecting users plug their electronic devices into USB ports or use USB cables that have been loaded with malware.
The malware then infects the devices, giving hackers a way in. They can then read and export your data, including your passwords, and even lock up the gadgets, making them unusable.
The article quotes two people who admit that “they were unsure of how often hacking attacks like these happened” (no direct evidence) but that since public charging stations are becoming more common, someone is probably doing something malicious. Probably. That’s not a credible source.
The Times did cite an alert from the Los Angeles County District Attorney’s office. On November 8, 2019 they published an alert titled “‘Juice Jacking’ Criminals Use Public USB Chargers to Steal Data” and a corresponding tweet. That statement got picked up and repeated unquestioningly by many news outlets.
If the LADA’s office is prosecuting someone for a juice jacking crime, that would be really big news. It would have been the first actual case in the wild I have found. I had so many questions about how the attack happened, on what platform, how the attackers were caught, and so many more.
However the story fell apart when Zach Whittaker from TechCrunch called the LADA’s office. He writes:
But the county’s chief prosecutor’s office told TechCrunch that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast. When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”
The alerts from the FBI, FCC, NY Times, and the LA County DA are not based on actual investigations or crimes, but you wouldn’t know that from the vast press coverage.
If people are being victimized, surely there must be victims! None of the sources above, nor any that I have been able to find online, identified any real victims. Most of the stories referenced each other in an echo chamber of misinformation. If enough people and organizations say it, it’s gotta be true.
People are compromised every second, but not this way. We as security practitioners need to prioritize our efforts with the understanding that non-technical people have a very limited appetite for cybersecurity advice. My hope is that we can focus on our advice on the items in the DNC security checklist (patch, use MFA, use a password manager) since that’s how most attacks succeed, and refrain from proposing solutions to problems that we do not see in the wild.
If you can find a confirmed juice jacking attack in the wild, let’s work to get the vendor to fix the bug rather than warning everyone to not charge their phones. We should be able to trust our devices to be secure, even in hostile environments. We’re not helpless bystanders, but we need to lobby the vendors with technical specifics to make progress.
