The FBI warned that public charging stations with USB ports could download malware onto the devices of unsuspecting users.
Malicious actors can use USB ports, which are often available at locations such as airports and public transit for travelers running low on charge, as mechanisms to add malware to unsuspecting users’ phones or computers, thereby permitting criminals access to passwords or transactions.
“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s field office in Denver warned on social media last week. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
Government officials have been cautioning against public chargers for several years. The Federal Communications Commission previously announced that “juice jacking” can occur through USB ports; software used by the criminals can then “lock a device or export personal data and passwords directly to the perpetrator,” using the information to “access online accounts or sell it to other bad actors.”
Fraudsters have been known to pass out infected cables as promotional gifts or leave their cables plugged into USB outlets. The Federal Communications Commission recommends that travelers use AC power outlets, avoid USB outlets, and bring their own charging cables or external batteries with them. Charging-only cables, which do not permit data to be transferred, can also be obtained through trusted suppliers.
Analysts from the Institute of Technical Education and Research in India likewise concluded in a paper that the use of an external power bank is “the best approach to avoid juice jacking attacks.” Security Research Labs said on one website that benign devices can possibly “turn malicious” from a juice jacking and infect other USB devices.
“No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices,” the cybersecurity consulting firm remarked. “Behavioral detection is difficult since behavior of an infected device may look as though a user has simply plugged in a new device. Blocking or allowing specific USB device classes and device IDs is possible, however generic lists can easily be bypassed.”
The practice of juice jacking, on the other hand, does not appear to be particularly prevalent despite the warnings from multiple agencies. When the Los Angeles County District Attorney’s Office published an advisory about the threat in 2019, a report from TechCrunch confirmed that the officials had seen “no cases” of juice jacking. It said the alert was part of “an ongoing fraud education campaign.” Experts told the outlet that the threat was largely theoretical at the time.
CLICK HERE TO GET THE DAILY WIRE APP
Malware meant to assist criminals with accessing users’ personal accounts has been used by terrorist groups such as Hamas, which was able to infect computers through Microsoft Office documents last year. The software permitted the anti-Israel fundamentalist Islamic group to collect GPS coordinates, monitor keystrokes, activate hidden cameras, and steal data from files.
Governments across the world have been increasing cyberspace capabilities in recent years to protect domestic businesses and conventional military operations. The United States Cyber Command, also known as CYBERCOM, was upgraded to a full and independent unified combatant command in 2017.