Juice Jacking

Old CISO Update header image

CISO Update #21

This is the time of year when many of us are out shopping or travelling, and our phones and portable devices get used a lot. We’re comparison shopping in malls, GPS-ing to find alternate routes on crowded roads, and killing time in airports and on planes. Keeping our devices charged is critical, and more businesses are providing USB charging stations. Unfortunately, cyber-scammers know that and have found a way to turn that into an attack method.

The USB or Apple Lightning port is more than a power connection: it also supports synchronization and data transfer, which means that it’s a way in for hackers. Researchers have been demonstrating this attack since at least 2011. The basic idea is that once you connect your phone to a USB charger, it’s possible for a bad guy who has pre-hacked the charger to implant malware onto your phone, or to potentially use another phone on the same network to look inside your phone. While it’s not a widespread threat, it’s certainly a real threat.

What can you do?

  • Context matters. The chargers at a major airport lounge are much more likely to be safe than the ones in a small internet cafe.
  • Don’t jailbreak your phone, and keep your permissions closed as tightly as possible. For example, some phones will allow themselves to appear as hard drives to computers when connected over USB. Shut this off on your phones.
  • Use the charger (with the little cube that plus into the wall) when you charge in public.
  • Use a USB blocker device designed to transfer power but not data. There are many on the market: they cost $25-$35.

This is by no means the only holiday-themed cyber scam out there. There are lots of good articles on our website and in other places about how to protect yourself from shopping and travel cyber attacks. Here’s a good example on travel security. Take a few minutes and read up.

Stay aware, have a wonderful and cybersafe holiday!

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.

Walter Kerner
Chief Information Security Officer
Division of Information Technology

Read past issues of the CISO Updates Newsletter here.