A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

JUICE JACKING

NOTE: On June 13, 2025 this topic was moved from the Extra Credit page to its own page. Also added the May 27, 2025 article from Kaspersky.

USB cables normally carry both data and electricity. Data can be a problem, as it is an avenue through which a device can be attacked. The attack is called Juice Jacking (maybe Juice-Jacking) and the potential danger was first raised back in 2011. There are multiple defenses (see below) but the most commonly suggested defense is a USB cable that only does power, no data. These cables go by multiple names: Power-Only cables, Charge-Only cables, USB Data Blockers or a USB condom.

May 27, 2025: For years, Juice Jacking attacks were not considered a real world threat. But, this article discusses new research: Data theft during smartphone charging by Stan Kaminsky of Kaspersky. The research is from Graz University of Technology in Austria, and the attacks were given a new name: ChoiceJacking. The White Paper describes three new attacks, two of which only work on Android, the third works on both iOS and Android. White papers have no date, so I don't know when it was published. The article says that Apple blocked these new attacks in iOS version 18.4 and Google blocked them in Android 15. That said, Samsung devices running the One UI 7 shell remain vulnerable, even after updating to Android 15.

1. This excellent article USB Data Blocker Teardown (Aug 2020) explains three different types of USB data blockers.
2. For an intro see How to Protect Yourself From Public USB Charging Ports by Chris Hoffman for How To Geek. August 2018.
3. Protect your data with a USB condom by Adrian Kingsley-Hughes for ZDNet. April 11, 2023. With two different popular types of USB ports, you may need multiple USB condoms: There are: USB-A-to-USB-A, USB-A-to-USB-C, and USB-C-to-USB-C.
4. Adafruit makes the PortaPow USB condom
5. SyncStop also sells USB cables/adapters that only do power.

There are a number of other defenses too:

1. Obvious: Rather using a public USB cable, plug into an electric outlet with your own cable and adapter
2. Obvious: Use your own portable charger/battery
3. Get a charge in your car, if possible
4. If you are desperate, Brian Krebs suggests that a phone is much safer if its powered off. This from his April 14, 2023 article: Why is 'Juice Jacking' Suddenly Back in the News?

The Krebs article was one a number of articles in April 2023 that asked just how likely such an attack is. It was probably the best. Another was: Actually, Charging Your Phone in a Public USB Port Is Fine by Heather Tal Murphy for Slate. April 13, 2023. Despite the click bait headline, the article does recommend using a USB condom. It is mostly a takedown of how the tech press works. It says there are no known instances of a phone being hacked due to plugging into a public USB port. Still, this assumes that installing malware on a phone is the only danger and ignores the issue of files that might be visible over the data connection - files that can be copied and thus leave no trace on the phone. The article also says that new Android and iPhones ask whether you want to share data or charge only when they plug into a USB port that is set up to capture data. Of course, a victim can answer the question wrong. And, the articles does not not define "new" so its not clear when this feature was added.

 

Copyright 2019 - 2025