Los Angeles’ district attorney is warning travelers to avoid public USB charging points because “they may contain dangerous malware.”
Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”
But the county’s chief prosecutor’s office told TechCrunch that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast. When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”
Which begs the question — why?
Security researcher Kevin Beaumont tweeted that he hasn’t seen “any evidence of malware being used in the wild on these things.” In fact, ask around and you’ll find very little out there. Several security researchers have dropped me messages saying they’ve seen proof-of-concepts, but nothing actively malicious.
Juice-jacking is a real threat, but it’s an incredibly complicated and imperfect way to attack someone when there are far easier ways. And given so many phones have features in place to prevent these kinds of attacks, pulling off a juice-jacking attack would likely require burning a highly powerful exploit.
The idea, though — that you can plug in your phone and have your secrets stolen — is not entirely far-fetched. Over the years there have been numerous efforts to demonstrate that it’s possible. As ZDNet points out in its coverage of the juice-jacking warning, the FBI sent out a nationwide alert about the threat after security researcher Samy Kamkar developed an Ardunio-based implant designed to look like a USB charger to wirelessly sniff the air for leaky key strokes. And just earlier this year, a security researcher developed an iPhone charger cable clone that let a nearby hacker run commands on the vulnerable computer.
LA recommend using an AC power outlet and not a charging station, and to take your cables with you. That’s sound advice, but it’s just one of many things you need to do to keep your devices and data safe.