Charging your phone in hotels or malls? Beware of juice jacking

The Cyber Security Agency of Singapore and the Singapore Police Force encourage users to switch off their mobile devices before charging them in public spaces. PHOTO: ISTOCKPHOTO
Gabrielle Chan
Updated
Apr 19, 2023, 09:15 AM
Published
Apr 18, 2023, 02:44 PM

SINGAPORE – People are at risk of having their mobile devices and data compromised by a variety of means, including tampered charging ports and USB cables.

In a joint advisory posted online on Monday, the Cyber Security Agency of Singapore (CSA) and the Singapore Police Force highlighted four ways such compromises could happen – when devices are inadvertently connected to rogue Wi-Fi access points, when the devices’ file-sharing functions are not secured, through Bluetooth connections, and through juice jacking.

Juice jacking refers to cyber criminals tampering with a charging port or USB cable to infect a device with malware or steal data, usually at charging stations that are available for free in public locations with high traffic.

The United States Federal Bureau of Investigation on April 6 warned consumers not to use public charging stations in airports, malls and hotels due to the prominence of juice jacking.

“Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software on to devices,” it said. 

Mr Sean Duca, Palo Alto Networks’ vice-president and regional chief security officer for Asia-Pacific and Japan, told The Straits Times that there is always a danger of introducing malware into a device, whether it is through a public charging station or public Wi-Fi.

Users should always be mindful when connecting their devices, and read the permissions they grant in pop-up notifications, Mr Duca said.

Pop-ups such as “Do you trust this device?” should not be ignored, he said, adding that the same caution should be applied when giving apps permission to access folders and functions such as your photos and microphone. 

Mr Kevin Reed, chief information security officer of cyber-protection company Acronis, said that while it is theoretically possible for cyber criminals to introduce malware into the phone by exploiting mistakes in the software of devices, the probability of this happening in real life is negligible.

“In a public charging station, attackers have no control over what device they can attack, so it is very hard to target a specific person.

“On the other hand, attackers are more vulnerable to being discovered with this kind of attack because it requires physical presence to alter the charging station and add a malicious component to it,” he said.

He added that it is more costly and risky for cyber criminals to attack the public with this approach in comparison to other kinds of attacks, such as phishing e-mails or through SMS.

“The public is largely safe from it due to this cost-benefits ratio, and phones’ software vendors update the software to fix issues discovered,” Mr Reed said, adding that for this solution to be effective, users should always keep their phone updated to the latest operating system and be careful about giving public access to their device.

To curb the threat of juice jacking, the CSA and police advised all users to use a USB data blocker – a device that physically blocks data transfer due to the absence of the data wires – when connecting devices to publicly accessible charging ports. 

Users are also encouraged to disable automatic file transfer, and to switch off their devices before charging them in public spaces. 

More On This Topic
Using a public USB port or a stranger's USB cable might get your phone hacked
Telcos tackle cyber threats with broadband filters to keep malware away from devices

Other measures include installing anti-virus applications, downloading apps from official stores, using strong passwords and clicking only on links from trusted sources.

The CSA and police also highlighted in the advisory the following ways people can protect their mobile devices and data.

1. Rogue Wi-Fi access points 

These are unauthorised wireless access points set up without the knowledge or permission of the network administrator or owner, and will usually be disguised as a legitimate access point with the same name and security settings. 

Users are advised to avoid using public Wi-Fi networks for sensitive activities such as online banking, or to use a virtual private network. Users should also disable automatic Wi-Fi connections to prevent automatic connections to unknown access points. 

2. Unsecured file-sharing functions

AirDrop on iPhones and Nearby Share on Android are functions that, when not properly secured, can grant cyber criminals in the vicinity access to the device’s data and allow for data to be extracted. 

Users are advised to disable file-sharing functions when they are not in use and configure their file-sharing settings to allow discovery only by their contacts to reduce the risk of unauthorised access.

3. Bluebugging 

Bluebugging is the illegal access of detectable Bluetooth connections to gain access to user devices, potentially stealing information from the device and possibly installing malware.

Users are advised to disable the Bluetooth function when it is not in use, or set their devices to the “non-discoverable” mode.

More On This Topic
Downloading a ‘cracked’ version of Fifa 23 or Hogwarts Legacy for free? It’s probably malware
WhatsApp to add security features to protect users from hackers

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top