We’ve all had those times when we’ve forgotten to plug in our phones overnight or drop them onto wireless chargers. If you’re staying in a hotel, or you’re out and about, there’s a good chance that there’s going to be some kind of publicly accessible charger that you can jack into for a few quick volts to keep your phone going in that situation. Problem solved, right?
While it might just solve your temporary power problem you could be asking for a completely different set of headaches if the charging cable you’re connecting to is compromised in an effort to access your data or damage your handset.
It’s an attack known as “juice jacking”, using the data connectors in most USB cables to modify or copy files from a connected device without the user realising it. If you’re frequently using unknown chargers or cables, a data blocking device could be a good buy.
How does a power cable take my data?
The fundamentals of this kind of attack rest on the fact that most – but not all – USB cables include not only connectivity for transmitting power, but also channels for data to flow through. That’s why you can safely plug your smartphone into your computer and shuffle files to and fro, or perform a backup of your vital files when you’re at home or in the office, after all.
When you’re using your own charger, your own cable and your own phone, you’re in full control of the entire transaction, but when you step outside and use any other charger, you’re trusting that it’s not in any way compromised.
It’s certainly technically possible to build a system that looks just like a public charging station but is actually designed to slurp up the data of connected devices, and that’s been a thing since at least 2011. Here’s a video from 2012 showing a proof of concept of the idea, so it’s very much not a new idea.
How real is the threat of juice jacking?
This is where it gets tricky. While it’s an established concept that doesn’t take much technical nous to implement, documented cases aren’t terribly easy to track down, even if some authorities have highlighted the potential risks, most recently in the US. There have been some reported cases of it happening in the wild, like this story from India, but it’s not a massive threat in absolute terms.
It’s also a scam that has been at least partially mitigated over the years by the way that both Android and iOS treat connected cables with live data connections.
Plug a modern Android phone into an unknown device and the standard default is to charge only, with users having to select to transfer data or photos through a drop down menu. Apple’s iOS is even more explicit, asking for “trust” in a connected computer, which is likely to make you think when you’ve only plugged in to boost your iPhone’s battery in the first place.
That’s only true of newer devices, however. If you’re using a much older smartphone, it may treat every connection as friendly – but then you’d also be some years out of software updates for it to help as well.
This is also not to say that it has never happened or couldn’t. If you’d altered your default phone behaviour for convenience’s sake, or accidentally tapped on the permission dialog box without realising it, you could potentially put your phone and personal data at risk. Smartphones are a rich source of valuable personal ID, and that means that smartphone operating systems are constantly being prodded for ways to bypass security, including the checks and balances that help to limit the approach of this kind of attack.
There’s also potential for social engineering aspects to this; if there was a sign that said you had to click some kind of agreement to charge, how many people might do so in return for “free” power?
Still, it is important to note that this is not a huge risk vector in terms of reported cases and losses, relative to other activities you might engage in with your phone and the precious data within it. That’s especially true in 2020, when so few of us are out and about as much as we used to be, and most international travel simply isn’t happening.
What are my data blocker options?
There’s a wide array of devices that promise to protect you from juice jacking, but they all tend to work in the same way, providing an endpoint within their devices for the data channels on any charging point.
Most take the form of either a data-pins-stripped cable – if you’re plugging in direct to a USB A type port – or a dongle that you add to a port or charging cable if you’re not. They’re also generally pretty cheap and quite small, so they’re easy to drop into a pocket or purse if you’re heading out and think you might need them.
To be entirely transparent, we haven’t tested these against an attack rig designed to use this particular attack, but you could assess them pretty easily by using them plugged into your own PC.
If you’re unable to transfer data even when permitted, or your phone never comes up as a drive on your computer, then they’re doing the job as advertised. If the data flows regardless, then they’re duds and you’re well within your rights under Australian consumer law to seek a refund pronto.
Data Blocker, given its distinct red colour. PortaPow claims it’ll even detect your phone type to ensure optimal charging.
Privise makes a range of privacy-centric products, but its USB Data Blocker is a pretty simple affair that just states that it blocks the data transmission through USB ports – which is exactly what you want out of this kind of gadget.
Juice Jacking isn’t new, but a lot of devices presume you’re connecting to an older USB A type socket. PortaPow’s USB-C adaptor is a small cable that interconnects to USB-C devices, although the manufacturer notes it’s not suitable for protecting laptops from data theft due to the need for those data channels to remain open while charging.
Another USB A type option, albeit in a less alarming colour that the PortaPow option, and again a simple way to stop the data flow from connected devices if you’re concerned.
Editor’s note: Descriptions and features are as taken from manufacturer/seller claims and user reviews on Amazon.