Juice Jacking is a system where plugging into a public USB charging port or a rental car can download your data and install malware
I ran into this issue when renting a car both in the USA and in Europe. Once I plugged my phone into the auto USB port, I found my music automatically playing. And, my collection of phone numbers were displayed on the car console. That immediately got my attention.
I spent about half an hour reading how to stop the downloads and how to erase the data that the car collected via the auto USB port. Worse, I found about four other collections of data from prior auto renters. None were password protected. In the European rental cars, I found phone numbers from Spain, Portugal, and Germany.
I can understand the automobile version of Juice Jacking. It was in this case harmless; however, it was disconcerting to see my phone records and playlists displayed. Every automobile is designed to make using your mobile device easier to use and less distracting. However, there are privacy concerns if your data is being sucked into the auto’s hard drive. The only way that your data can be stolen is if the next renter downloads it or if a criminal moved auto-to-auto downloading the data. Both are relatively unlikely.
To make sure that your data is not being sucked into the automobile system through the auto USB port, use a cigarette lighter power port. The same goes for public USB charging ports — don’t use them.
Types of Juice Jacking
According to Malwarebytes Labs, there are two ways juice jacking could work:
- Data theft: During the charge, data is stolen from the connected device.
- Malware installation: As soon as the connection is established, malware is dropped on the connected device. The malware remains on the device until it is detected and removed by the user.
Data theft allows cybercriminals to steal any and all data from mobile devices connected to charging stations through their USB ports. And, malware installation embeds the bad software onto a user’s device through the same USB connection.
Many of today’s malware families are designed to hide from sight, so it is possible users could be infected for a long time and not know it. Symptoms of a mobile phone infection include a quickly-draining battery life, random icons appearing on your screen of apps you didn’t download, advertisements popping up in browsers or notification centers, or an unusually large cell phone bill. But, sometimes infections leave no trace at all, which means prevention is all the more important.
Basically, anytime anyone is tempted to plug into a USB port with your mobile phone or iPad, don’t
To charge a phone at airports, only use AC adapters to be absolutely sure.
The LA Police Department has warned passengers against using the USB AC adapters at airports, hotels, and other locations. I always use the actual plug for my own adapter and the charge my phone, iPad, or laptop. Using your own adaptor can eliminate the possibility of juice jacking to take place.
Use an AC power outlet, not a USB charging station.
Take AC and car chargers for your devices when traveling.
Consider buying a portable charger for emergencies.
Why you should never use airport USB charging stations
Many security experts advise against using any public USB charger. However, if someone is desperate, they should not plug into a cord that is hanging from the charging station. These “forgotten” charging cords often have an extra chip inside that can deploy malware. Don’t take them and don’t use them.
…may seem excessive to the average traveler, Barlow [Vice President of X-Force Threat Intelligence at IBM Security] says it’s smart to worry about public USB power stations. A growing number of nation-state hackers are now training their sights on travelers, according to new research from IBM Security. The 2019 IBM X-Force Threat Intelligence Index reveals that the transportation industry has become a priority target for cybercriminals as the second-most attacked industry — up from tenth in 2017. Since January 2018, 566 million records from the travel and transportation industry have been leaked or compromised in publicly reported breaches.
Use extra caution when renting a car
If syncing your own vehicle to your phone poses a security risk, that risk increases tenfold when using a rental car. Never synch your phone with anyone else’s car or any rental car.
According to a report from Privacy International, most major rental-car companies have no policies to delete sensitive information that is collected during a rental once a user returns the car. You may have experienced this yourself if you’ve ever picked up a rental and find that the device information of the last 10 renters was still stored in the vehicle. That means, if you were to sync your own phone, the next renter would have your information at their fingertips.
It’s fun to have your own music blasting through your ride, and it’s convenient to sync your stored addresses to the car’s GPS system. But no fun or convenience is worth the risk this move can pose to your privacy and safety.
You can delete your device’s information from the car you rent, but that can also be scraped by a low-level hacker. To be completely safe, it’s best not to sync your phone when renting a car at all.
If you frequently use rideshare programs like Uber and Lyft, your driver might generously allow you to sync your phone to the car’s infotainment system so you can listen to your favorite song while waiting for the traffic to clear. This, too, can put your information at risk. If a driver ever makes this offer, pull out a pair of earbuds and tell the driver no thanks.
How to protect yourself when renting a car
Follow these precautions and your information should be safe.
• Never sync your phone with a rental vehicle or a ride-share car.
• Don’t plug into USB ports in rental cars.
• Delete any personal information already stored in your vehicle.
• Adjust your phone’s settings to the strongest security levels.
• Restrict the amount of information your vehicle can access and don’t allow it to store or access information without re-syncing to your phone.
Don’t let convenience put you at risk! Exercise caution and protect your privacy when syncing your phone to your car.
Charlie Leocha is the President of Travelers United. He has been working in Washington, DC, for the past ten years with Congress, the Department of Transportation and industry stakeholders on travel issues. He was the consumer representative to the Advisory Committee for Aviation Consumer Protections appointed by the Secretary of Transportation from 2012 through 2018.