You’re in the airport, facing a long day of travel… and you forgot to charge your phone last night. You’re looking at the dreaded red battery symbol. And you just realized your wall charger is in your checked baggage. There, just up ahead, you see a public charging station, with several open USB ports. Is this your lucky day? Or is your day about to get a lot worse?
Any Port in a Storm?
But wait… why should I worry about charging my phone at the airport? Actually, you should think twice about charging your phone on any public USB port – or using any cables or chargers that you don’t own. Why? First of all, cell phone cables have two purposes: transmitting power and transmitting data. You might think that charging your phone wouldn’t involve exchanging data. But to charge your phone optimally, your phone will use the data channel to negotiate with smart chargers – for example to determine how much power to supply, which may vary over time or for other situational reasons.
Second, it’s possible to hack a cell phone using these data lines. This type of hack was demonstrated many years ago and, despite efforts to block these attacks, it’s still possible today. You may not realize this, but many USB cables are themselves “smart” – that is, they contain computer chips and software. You can even legally buy special iPhone cables with cyber hacking features built in. Using compromised cables or USB ports, it’s possible to hack a connected smartphone. This hack is referred to as juice jacking (which I’ve mentioned in several of my Best & Worst Gift Guides). In fact, some of the most effective forensic tools used by law enforcement, border agents and spies rely on plugging something into your phone’s Lightning or USB port (see Cellebrite and GrayKey). And the US government just published a warning to the general public about it.
So let’s talk about what it is and how to protect against it.
Cat and Mouse Game
Like most cybersecurity situations, hacking popular devices is a cat and mouse game between the attackers and the defenders. Attackers come up with novel attacks; defenders adapt and improve their defenses. Unfortunately, device makers are bound and determined to create new devices for consumers to purchase, with updated hardware and software. This invariably means new vulnerabilities, too. And so the game never ends.
Despite this, I think that device makers are making progress. When possible, they get their hands on these forensic tools so they can figure out how they’re bypassing their defenses and then fix the vulnerabilities. (If you have the time, Signal’s Moxie Marlinspike has a great article analyzing a Cellebrite kit that apparently fell off the back of a truck. Unbelievably fortuitous, really.) Device makers are also trying to build their hardware and software to be much more secure by default.
For example, if you have a recent iPhone or Android phone, you have probably noticed pop-up messages when you connect it via cable to another device, asking you if you want to “trust this device” or “allow device to access (whatever)”. Do not disregard that warning. Clicking “yes” here will allow the other device to access the data on your device and perhaps even install malware. If you ever see this message pop up when connecting your phone to a public USB charging port (or any device you don’t own), you should absolutely say “no” and probably disconnect it. (If you are a journalist, activist, or other high profile target, you should absolutely consider using Apple’s new Lockdown mode. But it’s overkill for most people.)
What You Can Do
So, how likely is it that a public USB charging port or taxi charging cable is going to hack your device? I honestly have no idea. But I’m guessing it’s not terribly likely. However, it’s also very easy to avoid with a little preparation – there’s no reason to take the risk.
Your best bet is just to completely avoid plugging your phone or tablet into any USB port belonging to someone you don’t know or trust. This would include coffee shops, airports, airplanes, taxis, Uber/Lyft rides, hotels, etc. This applies to both USB and Lightning cables. Taking that one step further, I would also avoid buying used cables or charging devices, or ones that aren’t in their original, sealed packaging.
To avoid being in a situation where you need to use a public USB charging port, you should buy some extra wall chargers and charging cables. Put one in each of your various travel bags, purses, carry-ons, etc. They can be expensive – particularly Apple ones – but it’s your best option. Unlike USB ports, there’s no hacking risk when using an electrical outlet, as long as you own the AC adapter.
Portable battery chargers or “power banks” are also very handy to have. I like the ones with built-in AC adapters, so you can use them as wall chargers, too. Anker makes some great ones. If you have your laptop with you, plugging your phone into one of its USB ports will usually charge the phone while plugged in. But if you need to travel light and insist on using public USB charging ports, get yourself a USB data blocker cable/adapter (sometimes called a “USB condom”) like this or this. Just know that charging times will likely be slower.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!