Juice Jacking: Are public smartphone chargers safe?
The smartphone's ever growing ubiquity has led to the rise of public kiosks for recharging smartphones. These have been appearing in airports, malls and food courts, and come in both free and paid-for variants. The question is, are they safe to use? After all, putting a strange jack in your socket isn't always the best idea.
The proliferation of these kiosks has led to a new type of hack called "juice jacking". Juice jacking is the process of leaching data from a mobile device – such as a smartphone or tablet – via a public charging kiosk. It's ATM skimming for the iPhone generation.
Director of ethical hacking company Whitehack Adrian Wood told CyberShack that compromising an existing charging station or building his own would be a fairly simple process.
"Setting up a fake charging location in a popular public area or compromising an existing station would be relatively easy," said Wood. "I’d need about AUD$50 to AUD$60 worth of electronic components and a couple of hours at home to prepare."
Building his own would be a somewhat more costly affair.
"Depending on the quality of the charging kiosk I wanted to fake, you’d still be only looking at a AUD$200 minimum spend, but likely the figure would be closer to AUD$500 for a really nice looking one. You’d see a return on investment from that relatively quickly based on what you could pull of people’s phones, provided you could get the type of data people are willing to pay for."
Of course, the hard part is actually installing the modification or the fake kiosk. Wood says this is something one would have to do while an area is quiet, or by pretending to be maintenance personnel.
"The risk of getting caught means that juice jacking is an unlikely attack scenario."
While juice jacking isn't yet a common hack, Wood says that Australians should still take precautions when using public charging kiosks.
"The safest thing to do is to turn your phone completely off before you plug in [to a public charger], or use your own wall charger if you happen to be carrying it around with you," said Wood. "There's so many unknown variables with this [kind of hack], so for me to say install this piece of software, encrypt your phone, or use a PIN and you'll be safe, is not adequate protection."
Unfortunately, there is very little way a user can tell if a charging kiosk has been compromised. Newer Android devices and iPhones running iOS 7 or better do however provide a notification when a data connection is established between the phone and a computer.
"If you plug into a public station and get a pair indicator, I guess you’re going to have to let your phone go flat, cause you can’t leave it there."
Wood says Australians should be alert, but not alarmed; presently the path to monetising stolen data from charging kiosks isn't "simple or clear". Despite this, rewards for a successful hacker could be "pretty neat".
"People’s entire lives, bank accounts, and so on, are on these devices."