Juice jacking can pose a serious cybersecurity risk to those using USB ports, cables, and chargers to simply charge their devices.
In an increasingly connected world, being able to communicate consistently throughout the day has become the expectation. People work in all different settings—everywhere from the office, to their homes, to hotels or coffee shops when traveling, and more. In every work space, people need the ability to access power in order to recharge their devices.
However, not every USB port, cable, or charger is secure enough to prevent data breaches. Rebecca Herold, founder of The Privacy Professor Consultancy and of Privacy & Security Brainiacs SaaS services, shares the dangers of having data breached through juice jacking, and steps organizations can take to protect their information.
Continuity Insights: What is juice jacking, and when did this emerge as a security risk?
Rebecca Herold: There are often an abundance of public USB charging stations, provided by a wide range of entities to entice folks to use their facility for working, and also to provide a free service to those in services and business buildings. I took a family member to a hospital for surgery early this year, and I noticed an abundance of public USB chargers, with multiple types of cables attached, in every lobby, and in each of the patient rooms.
However, these popular charging stations are increasingly installed with data skimmers in the USB charger ports and USB cable ends. The skimmers are similar to how those credit card reader skimmers work, except the USB charger skimmers are almost impossible for most people to easily identify. While someone is charging, aka “juicing,” their phone or computing device, these skimmers basically are high jacking, aka “jacking,” the charging activities to simultaneously steal the data, infiltrate networks, load malware, and a wide variety of other malicious activities. So, juice jacking is using USB ports, cables, and chargers to perform other, surreptitious and malicious activities, unbeknownst to those using them to simply charge their devices.
The earliest public discussions in network security journals and at security conferences that my team
has been able to identify were in 2005, when security researchers were looking at the possible risks
within controlled research labs. In 2006 there emerged a few public-wide reports. A business
acquaintance of mine, an electrical engineer, created what he called a juice jack blocker around 2008
or so. He said he had sold a large number of these little gadgets to a couple of large government
agencies, and he was trying to get them to a larger market, but the risk appetite was not there in 2008.
There was no “in the wild” examples of cybercrooks using juice jacking tactics. However, given that there are no generally no types of digital evidence left behind that would show malware was loaded by juice jacking tools, or that data was exfiltrated by juice jacking tools, or any one of the other unlimited types of harms that could occur, such evidence would not be available to prove those actual in the wild examples anyway. It would be hard to obtain. However, by using CCTV that records such USB charges stations, and doing regular, frequent inspections of the charging stations themselves, it would become more possible to prevent juice jacking activities, as well as to help determine with a level of certainty that a juice jacking attack was the reason for subsequent problems experienced by the victims, and the other networks, systems, and applications they used.
CI: What spaces have the biggest risks of juice jacking incidents?
RH: USB ports, cables, and charging hubs located in all public locations, and locations where various individuals from the public may obtain access, are at risk. For example, such as in hospital rooms; conference centers and rooms; hotel lobbies, meeting rooms and visitor rooms; airports; school rooms, auditoriums and gymnasiums; etc., are at risk. Those in areas with no CCTV/etc. monitoring, no frequent inspection of the USB ports, cables and charging station equipment, and that are connected to networks are at higher risk. The less oversight of such equipment that occurs, the more likely that the equipment will be used for juice jacking.
CI: How can management ensure data is safe when employees are traveling for work, or are in unsecured Wi-Fi areas? Does it come down to providing USB juice jack blockers to employees; does it
fall on employees to avoid accessing company data in unsecured areas; or is it a mix of both?
RH: It is a mix of both. And helping employees understand that by using such juice jack blocking tools, and following remote access and computing policies and procedures, they are not only protecting their organizations, clients, customers, and patients, but they are also protecting their own personal data, networks, and devices. Organization management need to invest in juice jacking prevention tools and establish procedures/practices for using them. Then they need to update their organization’s security and privacy policies and require remote and hybrid workers to implement juice jacking protections wherever they work, when the workers do not have total control over the charging devices in their work areas. Organizations then need to provide training covering these policies, procedures, and associated tips for a variety of contexts within which remote workers may be charging the devices, to all their workers who work, at any point in time in areas remote from their building facilities, where they also need to ensure charging stations are kept secure.
CI: What else is important for senior management to takeaway on this subject?
RH: I want to reemphasize to management an earlier point: Juice jacking typically leaves no digital evidence of the data stolen, access into the network, etc. It may result in malware being planted on the device or other component of a connected network, but it will typically not leave any evidence that the source was through a juice jack device. If management has read an article claiming juice jacking risks have never been seen and have not occurred in real-life juice jacking incidents, they are not getting full, accurate information. The fact is that just because evidence has not been left behind does not mean that these incidents have not been occurring in real-life. If management makes a decision that it is not work taking actions to prevent juice-jacking because of the lack of evidence to validate the incidents, the management’s organizations will become a favorite target of those who will plant juice jacker tools within their environments, and management will be left scratching their heads wondering how a privacy breach occurred, or malware was planted, when they followed the advice of all those juice-jack-nay-sayer security “experts.”
As a metaphor, consider this: You are seated at an airport boarding gate waiting area. Someone sits right behind you and he starts talking on his phone to his manager in his outdoor voice, telling the manager that he just met with Company ABC about helping them strengthen their information security practices, and that he believes he’s sold the CISO, Ms. X, on hiring him because he learned Company ABC had XX privacy breaches and YY security incidents in the past year, through exploitations of network, application, and systems vulnerabilities A, B, C, D and E. If you are a cybercrook, you now have information to hack into Company ABC. And, the salesman on the phone and Company ABC will have no evidence that this information used to hack them was provided from your overhearing that phone conversation; the salesman’s loud talking behind you will not leave any trail to provide evidence of you having obtained that information.
This situation actually happened to me a few years ago, hearing such sensitive information being collected (I called the CISO, who I knew, and let her know about this information leak by the salesman). If I had been a malicious cybercrook, and I could have exploited all the vulnerabilities I heard described, and that organization would have been left wondering how information was obtained that allowed for the security incidents and privacy breaches to occur. Similar to how juice jacking tools, like USB skimmers, can go undetected, and why they are risks that wise business leaders must invest a little bit of time and resources into mitigating and preventing.
CI: What can executives and senior management do to safeguard their facilities against the threat of juice jacking?
RH: There are several actions management can take, to not only offer capabilities for charging, but
also to prevent juice-jacking. My business created and keeps updated a tips list, “Protecting Privacy and Security While Traveling,” that provides a wide range of such advice for companies to use. And, by popular request, we will be releasing by the end of the year a new course covering this topic for organizations to provide to their employees, contractors, and even friends and family. CI
Herold has over 30 years of IT, security and privacy experience and is founder of The Privacy Professor Consultancy (2004) and of Privacy & Security Brainiacs SaaS services (2021). She has authored 22 published books so far, co-authored NIST catalogs, served as an expert witness for a wide variety of cases, and since early 2018 has hosted the Voice America podcast/radio show, Data Security & Privacy with the Privacy Professor.
