Generally speaking, Juice Jacking is an evolving threat in cyberspace, which involves using the charging/data port on and Android/iOS device to install malware or copy sensitive user information/data from the device. Although the threat is relatively new, a few security researchers recently set up a charging kiosk at the DEFCON conference to educate people about the attack and demonstrate the illicit ways in which it can prove to be dangerous. Even in India, banks have been warning about the dangers of Juice Jacking. At large, it would not be wrong to say that the threat involves the negligence of users to a greater extent. As it has been very prominently seen in recent years among people of different age groups that, the day-to-day dependability of smartphone is on an all-time peak. Not to mention, the constant need to be hooked on to the device at all times and not miss out on the incoming notifications, all of which lead to the build-up for panic at times when the phone battery is low or about to die.
What is Juice Jacking and how does it work?
Juice Jacking is a type of cyber attack that involves utilizing the charging/data port on a device (Android or iOS) to carry out either of the two attacks: data theft (copy sensitive information on to another device) or malware installation (installing malware to gain access to the device).
With the data theft attack, what attackers essentially try to do is target the device by establishing a connection with it over the charging (USB or lightning) port and covertly copying all the information on to another device. On the other hand, with the malware installation attack, the idea is to install malware on the device (via the charging/data port) to set up a backdoor that can be used to carry further attacks or mint more personal information/data.
However, in both attacks, it is worth noting that it is the charging/data port that attackers target on a device (with the help of an infected/compromised (USB/lightning) cable) to attack a device or steal its data.
Basically, both the attacks take advantage of the fact that the charging port on a phone also doubles as a data port. So, be it an Android or an iOS device, the same port is used to do both — charge a device and transfer data between different devices. Albeit, the approach towards the attack may be different in both cases, they do rely on the same underlying technology.
1. Juice Jacking via Data theft
As the name suggests, data theft is a type of Juice Jacking attack wherein the attacker sets up the charging kiosk (at airport, cafe, bus stop, etc) with a cable connected to a device that has a malicious piece of code running on top. The cable, in this case, could be tempered and might possess the ability to bypass the authentication prompt. Now, as soon as someone connects their device to one of the charging ports at the kiosk, the device connected at the other end initiates the attack and copies all the information/data of the person without them knowing. Since the entire process is so discreet, it is very unlikely that the person standing at the kiosk would notice what is happening with their device behind their back.
2. Juice Jacking via Malware installation
Unlike the data theft attack, where the attacker copies all of the user information/data as soon as a connection is established, malware installation attack, on the other hand, is a type of Juice Jacking attack that does not necessarily involve any exchange of data at the very moment a connection is established. Instead, as soon as a connection is established with the target device (similar to the data theft attack), what it rather does is, install malware (malicious software) on the target device rather than copying information from it on to another device. The idea is to set up a backdoor to the device which can be exploited in the future using the malware unless the user comes to know about it and deletes it manually.
How to protect your device from Juice Jacking?
Well, a straightforward answer to protect yourself from Juice Jacking is to avoid using charging kiosks at public places like airports, bus stops, coffee shops, etc. As, unless you connect your device at unknown public places to charge them, it is very unlikely that you could end up with a compromised device. However, while saying that, it is important to keep in mind that there are some people for whom it is essential to be always connected with their phone. And for such people, the panic kicks in at the moment their phone battery falls below a certain percentage or starts showing low-battery warnings. So for those who find themselves in such situations, it is recommended that rather than connecting your devices at public charging stations in case of an emergency, carrying a power bank is a much better and safer solution. And with a plethora of options available in the market, choosing one for your requirements should not be a difficult task.
Besides using a power bank, which you can carry along all the time and use to charge your device, another alternative is to use a device called a Juice-Jack defender. As the name suggests, a Juice-Jack defender is a device that connects to your charging/data cable and prevents any accidental transfer of data via the device’s charging port. Essentially, it works by allowing the adaptor to permit the flow of power through it, but restricting a connection between the data transfer pins — in a way, only allowing the device to be charged while blocking the flow of data to-and-from the device. Although this is not a completely fool-proof solution, it offers a certain level of protection for when you decide to you a public charging kiosk.