by Jacob Hoffman-Andrews
Electronic Frontier Foundation
Reprinted under Creative Commons License
Every few years, an unsourced report circulates that "the FBI says plugging into public charging kiosks is dangerous." Here's why you should ignore the freakout and install software updates regularly.
Your phone is designed to communicate safely with lots of things – chargers , web sites, Bluetooth devices such as earbuds or speakers, Wi-Fi, and even other phones, for instance when sending and receiving text messages. If doing any of these normal phone things can give your phone malware, that is a security vulnerability (which is a type of bug).
Security vulnerabilities happen with some frequency. That is why your phone prompts you to update your software so often – the makers of its software find out about bugs and fix them.
So, when you hear a report that public chargers are giving people malware, you should ask "what is the vulnerability being used, and when will it be fixed?" as well as "how widespread is the problem? How many people are affected?" Unfortunately, the periodic reports of "juice jacking" never have such details, usually because they are recycled from earlier reports which themselves lack details.
The most recent news reports reference a tweet from the FBI Denver field office. According to reporter Dan Goodin's conversation with an FBI spokesperson, the field office relied on an article the FCC published in 2019 warning about USB charging stations. The only source for that article was a warning from the Los Angeles County District Attorney's Office that did not itself allege any specific bug or specific instances of charging stations being used for attacks. The FCC later quietly removed the sourcing from its article, allowing itself to be incorrectly treated as a primary source for juice jacking claims.
While the video from the LA County D.A. doesn't mention it, the ultimate source for the term "juice jacking" is a Brian Krebs article from 2011 reporting on a vulnerability demonstrated at DEFCON that year. As you can imagine, phone security has changed dramatically since 2011. And so far there have been no reports of widespread exploitation of USB vulnerabilities in the wild.
As a complex protocol, USB does present a large attack surface– and there are some built-in risks, like the ability for a USB device to pretend to be a keyboard (so lock your phone while charging). You may also want to bring your own charger or battery for electrical reasons. Phone manufacturers often recommend charging only with approved chargers, to avoid charging too slow or (worse) too fast, and potentially damaging your phone or battery. But realistic security is about risk management, and for most people the risk of a public USB charger is very low.
Undoubtedly there will continue to be bugs in phones' USB stacks in the future, just as there will be bugs in web browsers and chat apps. Some of those bugs will have the potential to infect your phone with malware, particularly if large numbers of people forget to update their software. But with a little skepticism and common sense, we can stop zombie scaremongering about charging stations from making the rounds again.
|