There is no subject that’s more contentious in cyber security circles than so-called juice jacking. It generates fresh headlines most years, when one government agency or another issues a new alert ahead of the holidays. Stories are written and cyber eyebrows are raised — there are more stories than attacks. But still those stories come. Now, though, a new warning suggests there may be a risk for travelers after all.
Juice jacking theoretically strikes when you plug your phone into a public charging cable or socket at an airport or hotel, and instead of it being a dumb charger, it’s a computer behind the scenes extracting data from your device. This is very different to dangerously crafted attack cables that include a malicious payload in the cable itself.
The latest government warning (and headlines 1,2) come courtesy of TSA. “When you’re at an airport, do not plug your phone directly into a USB port,” it says. “Bring your TSA-compliant power brick or battery pack and plug in there.” This is because “hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’).”
TSA also warns smartphone users “don’t use free public WiFi, especially if you’re planning to make any online purchases. Do not ever enter any sensitive info while using unsecure WiFi.” This public WiFi hijacking threat is almost as contentious as juice-jacking amongst cyber experts. TL;DR, while it compromises your location, any encrypted data flowing to or from your device from websites or apps should be safe.
Your bigger risk is downloading an app from the malicious access point’s splash page, filling in online forms, or being redirected to fraudulent login pages for Microsoft, Google or other accounts. The usual advice applies — use passkeys, don’t log in to linked or popup windows but use usual channels, and don’t give away personal information. You should also be wary of which WiFi hotspots you connect to — are they the real service from the hotel or airport or mall, or cleverly named fakes.
As for juice jacking, there is now a nasty new twist to the existing narrative, which while also theoretical for now, could fuel attacks that actually work. A new research paper has introduced “a novel family of USB-based attacks” called ChoiceJacking, which the researchers say, “is the first to bypass existing Juice Jacking mitigations.”
The Austrian research team “observed that these mitigations assume that an attacker cannot inject input events while establishing a data connection. However, we show that this assumption does not hold in practice. We present a platform-agnostic attack principle and three concrete attack techniques for Android and iOS that allow a malicious charger to autonomously spoof user input to enable its own data connection.”
This is more an issue for Android than iOS, but it’s not something for most users to worry about. That said, if you think you might be the target for attacks or if you travel to higher risk parts of the world, I would strongly recommend not using public charging points without some form of data shield, or public WiFi without a VPN.
You should also be wary of unlocking your device when it’s plugged into anything you don’t own and control. Interestingly, Google and Samsung both now better defend devices against USB data extraction. There are also new updates for iOS and Android to reboot devices locked for more than 3 days, which also protects against cable attacks.
On ChoiceJacking, Kaspersky says “both Apple and Google blocked these attack methods in iOS/iPadOS 18.4, and Android 15,” but “unfortunately, on Android, the OS version alone doesn’t guarantee your smartphone’s safety… That’s why Android users who have updated to Android 15 are advised to connect their smartphone to a known safe computer via a cable and check whether a password or biometric confirmation is required. If not — avoid public charging stations.”
