A few days ago, State Bank of India (SBI), the country's largest lender, warned its customers about not using public stations for charging their gadgets like a mobile handset, tablet or any other computer device.
In a tweet, SBI said, "Think twice before you plug in your phone at charging stations. Malware could find a way in and infect your phone, giving hackers a way to steal your passwords and export your data."
What SBI is trying to warn about is possible hacking through hardware (like universal serial bus—USB). This technique is known as 'juice jacking' among security experts who have been warning users about it since many years. However, with the holiday season, SBI may have just revived the warning, especially for travellers.
Public mobile charging stations are common in crowded places. Telecom operators in India also provide charging stations for mobile handsets. Users, who find that their handsets are running out of battery, find these stations useful and happily plug in their mobile for charging. However, it may not be as safe and secure as it appears.
There may be hackers behind these public charging stations, who may be waiting to steal information from your mobile, a process known as juice jacking.
Juice jacking involves a charging port that doubles as a data connection, typically, over USB. Through this, hackers either install malware or surreptitiously copy sensitive data from a smartphone, tablet or other computer devices.
The US National Security Agency, in late-2012, had warned government employees to use only their personal power charging cables and not to use public kiosk or charge devices through other people's computers especially while travelling overseas.
In 2013, some security researchers and students from Georgia Institute of Technology demonstrated how juice jacking works. By using inexpensive hardware components, they constructed a small-sized wall-charger that could infect an iPhone through malicious software.
Some of those who watched ‘CSI: Cyber’ a few years ago, would remember that juice jacking was at the centre of the 9th episode (L0M1S) of its first season released in April 2015.
This device, when plugged into any unprotected computer device (or mobile through on-the-go or OTG), can instantly and permanently disable the target hardware, the company claims.
“When plugged into a device, the USB Killer rapidly charges its capacitors from the USB power lines. When the device is charged, -200VDC is discharged over the data-lines of the host device. This charge/discharge cycle is repeated many times per second, until the USB Killer is removed,” USB Kill says. However, more about these devices in another article.
I mentioned USB Kill especially because, nowadays, many mobile users get lured with ‘fast charging’ and try to buy chargers that claims to provide more power for charging. Some of the ‘fast charging’ chargers, manufactured by companies other than the device-makers, claim to provide 18 watts or more. However, beware of such false claims. If there is no built-in protection in the charger, it may get burned or even fry your mobile device as well.
Coming back to juice jacking, there are certain precautions that users must take.
1. Never use a public charging station or anyone else’s laptop or PC for charging your electronic device like mobile, tablet or notebook.
2. Always use the charger and cable provided by the manufacturer of the device.
Buy a good-quality power bank with sufficient capacity (above 10,000 milliampere hour - mAh). (Read: More Power to Your Device!
) This will take care of your device in case it runs out of power.
4. Try to use a cable (especially while travelling) that can be used only as charging cable and not data cable. It may, however, be difficult, since almost all cables sold in the market are capable of charging as well as data transfer.
Frequent travellers can think about buying SyncStop
, earlier known as USB condom. This small device disallows data connection to be passed through an USB cable by blocking data pins. SyncStop costs $12.99 and can be bought from the company’s website (available in the US only).