Holiday travel? Michiganders warned of ‘juice jacking’ at charging ports

Michigan, national officials warn of ‘juice jacking’ when charging phones at public USB ports
The scam can occur through infected charging cables or compromised public charging stations
Officials urge using personal chargers, AC outlets, or portable batteries instead

If you’re traveling for the holidays, public USB charging stations may offer a convenient way to charge your phone, but cybersecurity experts say they can also serve as a gateway for hackers looking to slip malware onto your device.

Cybercriminals can use these public ports to steal data or install malware in a scam known as “juice jacking.”

The federal Transportation Security Administration warned about the potential threat earlier this year, advising travelers to bring a TSA-compliant power brick or battery pack to charge your phone while traveling through airports.

Michigan’s largest airport has taken steps to limit the threat, however.

“All public charging stations at Detroit Metropolitan Wayne County Airport (DTW) are power-only and not connected to any data networks,” airport spokesperson Cortez Strickland told Bridge Michigan in an email. “Travelers should always inspect charging ports prior to use and report any unusual activity to Airport Authority personnel.”

Related:

Experts say juice jacking can occur in two main ways: when you plug your device into a public USB port using your own cable or when you use a compromised cable from someone else.

Malware from a compromised USB port can freeze your device or secretly transfer personal data and passwords to cybercriminals. They can then use that information to break into online accounts or sell it to others.

The Federal Communications Commission has even warned about infected cables being handed out as free promotional items. In some cases, hackers hide skimming devices inside public charging kiosks to steal data.

There are steps you can take to avoid such attacks, said Doug Witten, assistant professor of computer science at Wayne State University.

“The way you stop that stuff is with a VPN, a virtual private network,” he said. “In other words … traffic is encrypted. When (data) is coming out of your machine, bad actors can’t unencrypt it. It just looks like hieroglyphics to them.”

Another way individuals can avoid becoming a victim of juice jacking is by making sure their devices are up-to-date, especially Android and IOS devices, which are more susceptible to these types of attacks via USB ports.

“When you get an update for iPhone or iPad, what they’re actually fixing is holes that somebody found how to get it,” Witten said.

Computers, by contrast, are far less vulnerable because they rely on a dedicated power brick for charging.

Other cyber attacks

Very few cases of juice jacking have been reported to the FCC, because it’s difficult for bad actors to pull off.

But “pineapple” and “man-in-the-middle” attacks, in which cyber thieves use rogue access points or wireless hotspots that look legitimate to steal data, are much more common.

These rogue access points can mimic a real network name, tricking people into connecting so the operator can monitor traffic, capture passwords, or install malware.

“A rogue access point is relatively easy to do,” Witten said. “Those are the bigger threats than the juice jacking (attacks) … and they’re a lot tougher to detect for the end user.”

Protect your power and privacy

The Michigan attorney general’s office recommends the following tips to avoid becoming a victim of juice jacking:

Avoid using a public USB charging station
Bring an AC outlet charger, car chargers, or your own USB cables with when traveling
Carry a portable charger or external battery
Consider carrying a charging-only cable from a trusted supplier
If you plug your device into a USB port and a prompt appears asking you to select “share data” or “charge only,” always select “charge only”