Cybercriminals can use USB charging stations in airports, hotels, malls or other public spaces as conduits for malware
Over the past 10-plus years, modern smartphones and other portable devices have become our constant companions. These days, smartphones let us do much more than make phone calls or send text messages. Mobile technology puts the world at our fingertips and we use our phones in lieu of our computers for anything from sending e-mails to booking our vacations and checking our bank accounts. Laptops have also become more portable and travel-friendly, and their compact form factor makes their usage convenient ‘on the road’.
However, all these capabilities come at a cost. Phones and laptops cannot stay constantly plugged in like desktop PCs. With their often-power-hungry processors, they will only last for a short time on a charge. This is what the proliferation of public charging points wanted to solve by providing a convenient way for people to plug in their devices while not at home or work.
Security-wise, however, there are concerns with these charging spots. As the summer travel season looms, you may want to pay heed to a recent warning from the Federal Bureau of Investigation (FBI).
FBI warns: Avoid public charging stations
In a recent tweet, the Denver office of the FBI warned people against the usage of free charging stations in airports, hotels, or shopping centers, as bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
Not unlike in earlier warnings of the same ilk, the FBI recommends that people bring their own chargers and USB cords with them, and use an electrical outlet instead (since adapters carry electricity, not data).
In juice jacking (a term coined by security journalist Brian Krebs in 2011), any device that connects to such a port through a USB cable could become a victim. Malware installed through a corrupted USB port can do a tremendous amount of damage to a device, including locking it, exfiltrating personal data and passwords, and giving crooks access to the device owner’s online accounts.
Hacked by a charger
We have all found ourselves needing a quick charge at some point, especially after a long day at school or outside – places where electrical outlets aren’t exactly easy to find. Many kids and students, for example, use public charging spots on buses/trains or in shopping malls. The issue is that since USB outlets are used for both charging and file transfers, their file transfer capability can be misused for transferring malware onto a device.
Moreover, even just a regular USB cable left somewhere could be malicious, mimicking the old tactic of “lost and found” malware-laden CDs or flash drives.
There are many types of malware that a crook could install onto your device. As mentioned previously, they could install ransomware, which locks your phone until you pay a “ransom,” but the promise of unlocking could be false. Likewise, they could install spyware, tracking your habits or your physical location. Then there are Trojans, which could serve multiple purposes, including data theft.
Awareness and vigilance go a long way
Regarding cybersecurity threats, awareness is the most important aspect. Otherwise, unsuspecting users would be more likely to fall prey to any kind of scam, data theft, breach, or another threat. This goes hand in hand with vigilance, which is especially important for people using their company-issued devices also for private purposes, as even a small mistake based on human error could end costing the company up dearly.
With that in mind, it’s better to be safe than sorry and take these precautions:
- As per the FBI, avoid using public USB charging spots. They can be used to compromise your devices, so opt to have your own outlet charger or an external power bank with you instead.
- Within your phone settings, try to disallow data transfers while charging. This setting is usually the default; however, it still is better to check and stay safe than sorry.
- Use “USB Condoms.” Yes, just like the name insinuates, these low-cost “condoms” connect to your USB port/cable and offer additional protection by severing any data transfer between a device and the charging point.
- Lastly, DO NOT use USB cables/power banks/flash drives or anything that connects to your device that is NOT yours or that you just found lying on the street or on a table.
With these points in mind, you can be sure that you are one step ahead of potential security issues related to charging, but if you still harbor some doubts, feel free to check out some of our other articles on WeLiveSecurity or the ESET Blog for additional tips and best practices.