Business and personal travel is now largely back to pre-pandemic levels, resulting in more travel computing, and charging, than organizations have been used to over the past three years. There also are many who are still using public libraries, coffee shops and shared rented office spaces to do their remote work. I know some organizations have rented hotel rooms to have workers use for their remote working when they were concerned about the security within their employees’ home work areas. These alternative work areas often have public Wi-Fi that is unsecured, meaning no password is required, or if it is, it is one that everyone in the vicinity knows. More often than not, there is no encryption used on these internet connections.
There is an abundance of USB public charging stations, provided by the entity to entice folks to use their facility for working and to provide a free service to those in the services and business buildings. I took a family member to have surgery in January, and I noticed an abundance of public USB chargers, with multiple types of cables attached, in every lobby and in each of the patient rooms. However, these popular charging stations are becoming more increasingly installed with data skimmers in the USB charger ports and cable ends—skimmers similar to how credit card reader skimmers work, except the USB charger skimmers are almost impossible for most people to easily identify.
In the US, the FBI and FCC recently warned that free USB charging stations in public spaces, such as airports, hotels, hospitals, business buildings and any other type of publicly available location, can have devices hidden within them to steal data, spread malware and commit other malicious activities broadly referenced as juice jacking. The term “juice jacking” started being used several years ago to mean that while individuals using USB charging ports to charge (or “juice”) their phones, they were also having their data highjacked (“jacked”) through malicious, unnoticed skimming tech. I actually started covering this risk at a few onsite security and privacy training courses in 2010 when I first became aware of what was then an emerging new threat from a business friend, an electrical engineer, who I think may have invented what was the first juice jack blocker—a data blocker for USB ports.
The malicious USB charging connection not only gives access to the phone apps and data, but it creates a connection to all the networks that the phone is connected to that do not have active access controls and blocks established when the phone was connected to the USB charger. So, malicious USB charging ports, cables and possibly other components of the public charging stations can also be used to plant ransomware, keystroke loggers and other types of malware, GPS tracking and audio eavesdropping. They can also take control of the device being charged. All these malicious activities can occur not only on the device being charged (phone, laptop, tablet, etc.), but also on devices and network components within those other connected networks.
These skimmers are very hard to notice inside the USB ports and in the interface component end of malicious cables, unlike the credit card skimmers on gasoline pumps and credit card payment processors that you can usually see if you look closely and jiggle the swipe device. And the cords that are now so commonly found at charging stations have, in some places, been replaced by a crook with cables that are not the electric charge-only cables typically located at those public USB charging stations.
Add to this a diabolical physical risk. Some of the cables aren’t used to take data or plant malware, but instead to ruin your device by delivering a high-voltage power spike to effectively destroy the usability of the device.
I’m glad the FBI and FCC are warning about these risks with public charging stations and USB ports. And yes, their suggestion to carry your own charger and USB cord and to use an electrical outlet instead is one option to mitigate the risks. But there is another way to mitigate this risk without the need for a portable charging device, which may not have enough charge left on it to begin with and may itself need charging. I also recommend using the previously mentioned juice jack blocker, a small, inexpensive device that is very effective in stopping data from being stolen and malware from being loaded. They keep the skimmers from accessing the computer’s hard drive while allowing charging to occur. Juice jack blockers attach to the end of your USB cable to protect against skimmers when you charge your devices in public places. This is not as bulky as hauling around most portable chargers and extra cables. I’ve purchased USB juice jack blockers for as low as two for US$12. They’re small and easily fit in a pocket without any bulkiness.
It’s also a good idea to travel with personal charging devices. While not as small as juice jack blockers, they have become much smaller, with much more power, and less expensive in recent years. They limit the need to use public chargers at all.
Ideally, it would be best to make sure only non-data power-only ports and cables are used in public areas. However, most cables used support data transfer, and there is not an easy way for most folks to visually tell if a cable is charge-only.
At the enterprise level, is a good risk management action to update your cybersecurity and privacy program to include the following:
- Invest in the comparatively low-cost USB juice jack blockers to provide to all your workers who work remotely. They typically cost less when buying them in bulk.
- Consider also investing in some personal charging devices for situations where a power source is needed, but there are none to be found, such as while hiking or spending the day with a client in an environment with few-to-no usable electrical outlets.
- Consider carrying a charging-only cable to use in public USB ports. This will prevent data from being transmitted through the USB connection, similar to how juice jack blockers work (but, yes, are larger and bulkier to carry).
- Bring an electric outlet-to-USB adapter with you when traveling. These are inexpensive and small. Most of these have two USB ports within them.
- Update your security and privacy policies and associated procedures to include juice jack blocking directives similar to the following that are most applicable to your organization’s work environments:
- When not within secured environments (e.g., within the business facilities or within your home office areas), connect a USB juice jack blocker to your computing device, then connect the blocker to the USB charging port.
- Carry one or two portable chargers while traveling in areas with scarce electric plug-in outlets to have available when needed and no power source is available.
- Do not connect phones, or any computing device, to an unknown charging station without using one of the juice jack blocking tools previously described.
- If, when plugging a device into a USB charging port, a prompt appears asking you to select “share data” or “trust this computer” or “charge only,” always select “charge only.”
- If you're in public and need to charge a device, use the outlet-to-USB adapter in an electric plug-in outlet. Data can’t transfer from or to your device at a regular AC wall outlet.
- Digitally lock your phone or other type of computing device when charging and you don’t have security devices to use available. This will keep most malicious access from pairing with your connected device.
- Do not use charging cables and power banks that seem to be left behind or are not provided by the facilities you are within. Cyber crooks set up these types of malicious devices in public areas to lure their victims to them.