Skip to main content

Researchers warn of juicejacking threat

Security researchers have highlighted the risk of public charging stations, creating a device they call a 'juicejacker' that is capable of siphoning information off a user's smartphone as they charge their device.

Unveiled at the DEFCON hackers' conference, the juicejack station is the creation of Brian Markus, Joseph Mlodzianowski, and Robert Rowley who created it to see if even hackers - people who should have their finger on the security pulse - could be fooled into using an unsafe device.

Sure enough, in the three and a half days the station was live, around 360 attendees took advantage of its USB cables to add a bit of extra power to their portable devices - a move which, had the trio had a more malicious motive in mind, would have exposed their private data to theft and abuse.

In their defence, the machine was equiped with a friendly message which read "Free Cell Phone Charging Kiosk." To users' surprise, once a smartphone was connected to one of the various cables dangling loose from the device the message abrubtly changed to one of warning: "You should not trust public kiosks with your smart phone," the modified message read on a red background. "Information can be retrieved or downloaded without your consent.

"Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!"

The spectre of juicejacking also has a mirror threat: that of a malicious mobile phone, given to you by someone begging for a quick charge from your laptop in order to make a phone call, which siphons data from you to the phone's storage device.

The trio's research indicates a real risk that public charging stations - which are becoming a regular sight in airports and stations throughout the world - could be used for ill means, but others in the industry claim there are easy ways to defeat such a malicious device.

"It's easy to avoid the risk," Paul Ducklin of security firm Sophos claims. "When charging your phone from an unknown USB port, or charging an unknown phone from your own USB port, use a power-only USB cable; always carry and use the charging adapter which came with your device; if you can, configure your device to require a password before enabling the data-transfer features; and in a real emergency, buy a battery-powered recharger."