What is juice jacking?
Juice jacking is a security exploit in which an infected USB charging station is used to compromise devices that connect to it. The exploit takes advantage of the fact that a mobile device's power supply passes over the same USB cable the connected device uses to sync data.
Juice jacking exploits are a security threat at airports, shopping malls and other public places that provide free charging stations for mobile devices. While the risk of becoming the victim of a juice jacking exploit is low, the attack vector is real and is often compared to ATM card skimming exploits from years past. Both juice jacking and card skimming rely on the end user feeling confident that the compromised hardware is safe to use.
How juice jacking works
Juice jacking is a hardware-focused man-in-the-middle attack. The attacker uses a USB connection to load malware directly onto the charging station or to infect a connection cable and leave it plugged in, hoping an unsuspecting person comes along and uses the "forgotten" cable.
Juice jacking exploits are successful because the same port used to charge a device also transfers data. A USB connector has five pins. But only one is needed to charge a connected device, and only two of the five pins are needed to transfer data. This architecture is what enables an end user to move files between a mobile device and a computer while the mobile device is connected to the charging station.
USB ports and phone charging cables are the most common devices used in juice jacking attacks. Other less common devices may include USB ports in video arcade consoles and portable battery power banks.
How to prevent juice jacking
Juice jacking enables an intruder to copy sensitive data from a mobile device, such as passwords, files, contacts, texts and voicemails. Users may not know they have been a victim of an attack until they realize their device is infected.
Users can guard against juice jacking attacks by purchasing a protective attachment called a USB condom. A USB condom is a device that connects to a charging cable and sits between the device's charging cable and the public USB charging station.
A USB condom works by blocking connections to all the pins in the USB male connection except one -- the pin that transfers power. The USB condom prevents the pins that transfer data from establishing a connection, while still allowing the device to charge.
Another way to prevent juice jacking is to avoid using chargers left plugged into outlets. Also, keep mobile devices and software programs updated, and never accept free promotional charging devices or devices from unverified sources.
Types of juice jacking attacks
- Data theft. In data theft juice jacking attacks, users are not aware their sensitive information has been stolen. Depending on how long a device is left plugged into a compromised cable or port, large amounts of data may be compromised. Given enough time and storage space, attackers may even be able to make a full backup of the data on a device.
- Malware installation. When malware installation juice jacking attacks occur, malware placed on the device may do a great deal of damage, including manipulation of a phone or computer, spying on a user, locking the user out of the device or stealing information.
- Multidevice attack. On top of harming the device plugged into a compromised charger, a device charged by infected cables may, in turn, infect other cables and ports with the same malware, becoming an unknowing carrier of the virus.
- Disabling attack. Some malware uploaded through a charging device can lock owners out of their devices, giving full access to the attackers.
Juice jacking history
Juice jacking emerged at the DEF CON hacking conference in August 2011. Conference attendees were offered free charging stations for their mobile devices. When they plugged them in, a message appeared warning them not to trust convenient but suspicious offers of free charging because the devices could be loaded with malicious code.
In response to juice jacking, Apple and Android updated their devices to warn users whenever they charge and to allow users to choose whether to trust the charging port, power bank or other charging process. If users choose the untrusted device option, their devices only charge and do not allow data transfer.
Editor's note: The definition was written by Laura Fitzgibbons in 2020. TechTarget editors revised it in 2023 to improve the reader experience.