What is “Juice Jacking” and should it bother you?

Juice jacking is a term coined by the US computer security journalist Brian Krebs.

It refers to the theoretical possibility of having data stolen from, or malware inserted into, a phone or tablet via its USB charging cable.

A USB cable normally has four individual wires. Two of these are for data transfer and two are for charging. If you connect your phone or tablet to a public USB charging socket (in a coffee bar or hotel room, for instance), you have no way of knowing whether the socket is connected to electronics that can use the data connections either to inject malware into your device or steal data out of it. And there’s no point in iPhone owners being smug: your devices are just as vulnerable as Android devices.

If you carefully inspect your USB charging cable it will tell you… absolutely nothing. There is no mark or label or icon in the USB standards that do anything to differentiate between a data transfer cable and one that only enables charging (ie a cable that does not have the data transfer wires). There’s nothing stopping you from pulling the cable to pieces to see if it’s got two wires or four inside, but I wouldn’t recommend it.

Luckily, this is where the bad news stops. From now on, things get a little brighter.

You could buy a charging cable that is specifically described as a “charging cable”, or you could buy a USB extension lead that only has the charging wires, such as these from Amazon. You can then just connect your existing cable to the extension, knowing that no data transfer can get past the extension cable. You will see on the Amazon page that these cables are sometimes known as “power connector condoms”. I’m sure there’s a good puerile joke there, somewhere, but I can’t think of it at the moment.

An alternative is a “data blocker” that comes in the form of a small USB device that does the same job as a charging cable or charging extension cable.

The next bit of good news is that this problem only applies to charging via a USB cable. If you are using a laptop with its own AC adaptor (the big black lumpy thing), there is no danger when connecting to a power outlet.

Also, if you connect your USB cable to a three pin plug that has a USB socket then that, too, is safe.

And the final bit of good news is that there are no actual, documented, cases of juice jacking ever happening “in the wild”. This Malwarebytes page does say that there have been some unsubstantiated reports of it occurring in the USA, but I don’t count anything that happens outside the M25 as being real (only joking).

And what do I do? I always carry a three pin plug with a USB charging socket. Failing that, except for dire emergencies, I would rather do without my phone for a few hours (gasps of horror and disbelief) than take an un-necessary risk with a public USB charging point.

So, should it bother you? I think I would recommend getting into the habit of using a charging extension cable or data blocker if you find yourself often using USB charging sockets in public places. Failing that, I would recommend using a socket on a three pin plug. However, if your idea of computer security still involves using the word “password” as your password for every account you have (maybe with the addition of a digit or two at the end), then I think you have more urgent security matters to address than juice jacking.

---