How to avoid smartphone juice jacking

Have you every heard of smartphone juice jacking? No? Well, don’t worry, because you aren’t alone.

Clearly, the practice isn’t all that well known, probably because it has yet to become a major security threat. However, a group of researchers recently warned that juice jacking could become one.

It certainly seems innocent enough at first glance: a free charging kiosk at an airport, hotel or shopping mall.

Most people wouldn’t hesitate to charge their dying smartphones – even though the kiosk could theoretically be configured to read most of the data on a device and upload malware. 

To demonstrate the potential threat, Brian Markus, president of Aires Security, along with fellow researchers Joseph Mlodzianowski and Robert Rowley, built a juice jacking kiosk at Defcon 2011 to educate the masses about the risks associated with blindly plugging in mobile devices.

“We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,” Markus told Brian Krebs of Krebs on Security. 

“Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

According to Markus, one DefCon attendee claimed his phone had USB transfer off and insisted he would be fine.  

“[But] when he plugged in, it instantly went into USB transfer mode… He then sheepishly said, ‘Guess that setting doesn’t work.'”

So what can you do to avoid juice jacking?

Well, Markus recommends using a supplied power cord that plugs into a regular electric outlet to charge your device. Battery-powered mobile charging devices – which are available at many airports – are also a good option.

However, if there is no other choice but to select a random charging kiosk, you may want to completely power down the device before plugging it in. 

“One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,” Markus added.