Charging your phone in hotels or malls? Beware of juice jacking
Published on
19 Apr 2023
Published by
The Straits Times
SINGAPORE – People are at risk of having their mobile devices and data compromised by a variety of means, including tampered charging ports and USB cables.
In a joint advisory posted online on Monday, the Cyber Security Agency of Singapore (CSA) and the Singapore Police Force highlighted four ways such compromises could happen – when devices are inadvertently connected to rogue Wi-Fi access points, when the devices’ file-sharing functions are not secured, through Bluetooth connections, and through juice jacking.
Juice jacking refers to cyber criminals tampering with a charging port or USB cable to infect a device with malware or steal data, usually at charging stations that are available for free in public locations with high traffic.
The United States Federal Bureau of Investigation on April 6 warned consumers not to use public charging stations in airports, malls and hotels due to the prominence of juice jacking.
“Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software on to devices,” it said.
Mr Sean Duca, Palo Alto Networks’ vice-president and regional chief security officer for Asia-Pacific and Japan, told The Straits Times that there is always a danger of introducing malware into a device, whether it is through a public charging station or public Wi-Fi.
Users should always be mindful when connecting their devices, and read the permissions they grant in pop-up notifications, Mr Duca said.
Pop-ups such as “Do you trust this device?” should not be ignored, he said, adding that the same caution should be applied when giving apps permission to access folders and functions such as your photos and microphone.
Mr Kevin Reed, chief information security officer of cyber-protection company Acronis, said that while it is theoretically possible for cyber criminals to introduce malware into the phone by exploiting mistakes in the software of devices, the probability of this happening in real life is negligible.
“In a public charging station, attackers have no control over what device they can attack, so it is very hard to target a specific person.
“On the other hand, attackers are more vulnerable to being discovered with this kind of attack because it requires physical presence to alter the charging station and add a malicious component to it,” he said.
He added that it is more costly and risky for cyber criminals to attack the public with this approach in comparison to other kinds of attacks, such as phishing e-mails or through SMS.
“The public is largely safe from it due to this cost-benefits ratio, and phones’ software vendors update the software to fix issues discovered,” Mr Reed said, adding that for this solution to be effective, users should always keep their phone updated to the latest operating system and be careful about giving public access to their device.
To curb the threat of juice jacking, the CSA and police advised all users to use a USB data blocker – a device that physically blocks data transfer due to the absence of the data wires – when connecting devices to publicly accessible charging ports.
Users are also encouraged to disable automatic file transfer, and to switch off their devices before charging them in public spaces.
Other measures include installing anti-virus applications, downloading apps from official stores, using strong passwords and clicking only on links from trusted sources.
The CSA and police also highlighted in the advisory the following ways people can protect their mobile devices and data.
1. Rogue Wi-Fi access points
These are unauthorised wireless access points set up without the knowledge or permission of the network administrator or owner, and will usually be disguised as a legitimate access point with the same name and security settings.
Users are advised to avoid using public Wi-Fi networks for sensitive activities such as online banking, or to use a virtual private network. Users should also disable automatic Wi-Fi connections to prevent automatic connections to unknown access points.
2. Unsecured file-sharing functions
AirDrop on iPhones and Nearby Share on Android are functions that, when not properly secured, can grant cyber criminals in the vicinity access to the device’s data and allow for data to be extracted.
Users are advised to disable file-sharing functions when they are not in use and configure their file-sharing settings to allow discovery only by their contacts to reduce the risk of unauthorised access.
3. Bluebugging
Bluebugging is the illegal access of detectable Bluetooth connections to gain access to user devices, potentially stealing information from the device and possibly installing malware.
Users are advised to disable the Bluetooth function when it is not in use, or set their devices to the “non-discoverable” mode.
Source: The Straits Times © Singapore Press Holdings Limited. Reproduced with permission.
ALL views, content, information and/or materials expressed / presented by any third party apart from Council For Third Age, belong strictly to such third party. Any such third party views, content, information and/or materials provided herein are for convenience and/or general information purposes only. Council For Third Age shall not be responsible nor liable for any injury, loss or damage whatsoever arising directly or indirectly howsoever in connection with or as a result of any person accessing or acting on any such views, content, information and/or materials. Such third party views, content, information and/or materials do not imply and shall not be construed as a representation, warranty, endorsement and/or verification by Council For Third Age in respect of such views, content, information and/or materials.