The FBI has issued a warning advising people against using public charging stations. This comes after criminals were able to plant malware onto the stations which allowed them to gain access to users' phones, tablets, or computers. According to a tweet from the FBI's Denver field office, these "bad actors" have found ways to use public USB ports to introduce malware and monitoring software into devices. The FBI is advising people to carry their own chargers and USB cords and use an electrical outlet instead. The Federal Communications Commission has also warned consumers about "juice jacking", as the malware loading scheme is known, since 2021.
But how do these charging stations work? According to Josh Pauli, Ph.D., Department Head of Cyber, Intel, and Info Operations, College of Applied Sci & Tech at The University of Arizona, "users have little way of knowing what they are plugging a phone into. Most of these kiosks are designed to be just cords or ports available for public use with no visibility into the system those cords and ports ultimately connect to." Therefore, the risk of using these kiosks lies in the fact that people don't know what their phones are ultimately connecting to.
The risk of malware infection occurs when either malware has been loaded onto the computer system that a phone ultimately connects to at a kiosk or malware has been loaded onto a USB cord that is available at a kiosk. This attack has been around for almost a decade, after gaining traction in the hacker community at DEF CON.
Enterprises that utilize work from home or bring your own device policies are not specifically at risk, but any device user is susceptible to this attack. Pauli advises people to pack their own charging cables, or use a battery pack and charging cord, and not to rely on external resources. People should also be aware of any odd behavior on their device while plugged into these kiosks and read any prompts from their device before clicking "accept" or "continue".