Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Should you use public cell-phone charging kiosks?

Xeni Jardin at 11:35 am Wed, Aug 17, 2011

— FEATURED —

Book Review

The Man Who Laughs: grotesque Victor Hugo potboiler was the basis for The Joker

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

Beware of Juice-Jacking, warns security researcher Brian Krebs. Those cell-phone charging kiosks in airports and other public places amount to an "unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware."

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • Alvis

    Luckily it’s trivial to construct an adapter that passes power but no data.

    • eagleapex

      You posted this as I typed “I bet this could be avoided by a custom USB dongle where the Data pins aren’t connected to the host, but trick the phone into knowing everything’s ok (like the minty boost does)”

      And then had to reset my password.
      Great minds think alike!

      • digi_owl

        According to the USB charging spec, shorting the data pins is a signal to the device that it will get up to 1800mA from the port. The same charging spec also say that if there is no data traffic (but the data pins are still intact), the usb2 port should be allowed to deliver up to 1500mA. This because usb2 cables and ports are actually rated to handle as much (normally a usb port only deliver 500mA, in increments of 100, on request).

    • http://www.facebook.com/zerhackermann Michael Hazen

      Cel phone condom FTW!

    • http://www.facebook.com/people/Brian-Huntington/1389561896 Brian Huntington

      That’s sarcasm, right?

  • kP

    It’s funny, I was just at the airport a week ago and had the same thought….   people assume it’s just a jack and don’t think “what’s behind it?”.   If I was the TSA I’d be all over that one.   Of course, people preparing to die probably aren’t that concerned about their battery level…

  • jnobbe

    That’s like giving the thief the keys to your house.

  • rossjordan

    I wouldn’t use the “charging station” at Defcon, but frankly, the risk of a charging station at an airport being malicious is similar to paying for food with a credit card at an airport (either the agent or the machine could be malicious). Buying a coke from a vending machine could also be malicious (it might be a fake poisoned coke). Of course there’s some risk whenever you interact with strangers or strange devices – but there’s usually some minimal vetting to install a device in the secured area of an airport.

    • Snig

      That’s what I would have thought, but a friend of a friend used one, and his phone was infected with the Good Times virus and it infected the control circuits of his fridge and made his ice cream go all melty. 

    • cymk

      I would compare it closer to using a public access USB terminal with your laptop rather buying a coke or using a credit card. Most phones are configured to transfer data as well as power from the same plug on the phone.

    • http://www.androidpolice.com/author/abhiroop-basu/ Abhiroop Basu

      Yes I agree. I mean if I’m boarding a plane it’s usually for an international flight which will take a few hours and my phone will be switched of for the duration. Hence, I don’t really need to charge a phone. On the other hand I may need to make an urgent call and need just that extra bit of juice. Either way I would risk it. I don’t think I have any particularly senstive data.

    • digi_owl

      Credit cards have a third party involved tho, the company that issued the card.

  • snowmentality

    I wouldn’t use a charging kiosk because they cost way too much money. Better to camp on the floor by an outlet.

  • snowmentality

    P.S. I know the article talks about free charging kiosks. I’ve never seen one of those in an airport.

  • NegativeK

    Public charging kiosks are like open wireless access points in airports.

    Of course, a random guy at an airport (on my way to Defcon, no less,) didn’t understand why randomly picking open wifi is a bad idea after asking how I was on the internet.

  • warmlogic

    I’ve seen way more free charging kiosks at airports that have AC outlets than have USB/data plugs. No fear with the AC!

    • Chrs

      Not yet.

  • Alexander Benenson

    The techie types that read this blog understand that using an AC adapter between your phone and the kiosk/outlet will prevent any hacking, but I’m sure many non-geek folks won’t realize this, and will now start freaking out after reading this article or hearing the info 2nd hand.

    • penguinchris

      I see this as a good thing, as it will free up the outlets :)

  • http://www.facebook.com/neowolfwitch Wolf Ilandl Butler

    Most that I’ve seen have both regular outlets and USB charging ports. I always opt for the outlet. Some airports DO have free ones- either ad-supported (you have to stare at an ad while you are sitting there) or are installed by the airlines. (Southwest seems to do this a lot.)

  • David Forbes

    I was just in a couple airports with free USB charging kiosks located next to AC wall outlets. I assumed that they are just power supplies, since they’re built into the wallbox and don’t appear to have any room to hold an internal computer.

    Nonetheless, the USB data block is very simple to build, requiring only a jack, a plug and four resistors. Each data line needs 180K to 5V, 270K to gnd.

    • http://www.facebook.com/harrkev Kevin Harrelson

       For most devices, you do not need even that.  Just the two power lines (gnd and +5), and leave the data lines floating.  Of course, YMMV depending upon the device (iPhone, iPod, etc.).

  • Donald Petersen

    I don’t get around all that much, but I’ve never had trouble finding an unoccupied AC outlet to plug my own charger into.  I don’t think I’d plug into any old USB connector that was lying around, even if it is at a more civilized waist-level than those barbaric AC outlets near the floor.  I get irritated enough by my phone complaining about being plugged into an “unsupported cable” (which charges it just fine anyway).  The last thing I wanna worry about is whether some scamp is moving data to or from my phone.

  • http://twitter.com/landwomble Ric

    Are there *any* public exploits that can get data off a cell phone without any user interaction?  I.e. without someone clicking “mount usb drive” on the phone display.  The *only* reason this story is exists is because some hipster came up with the term “juicejacking” and thought it sounded cool…see also “bluesnarfing” (which affected about 3 nokia phones that were years obsolete by the time)…

  • http://www.facebook.com/the.real.adam.young Adam Young

    Someone beat me to the punch, but I was going to suggest some sort of condom-like device for the data connectors of one’s device.

    • gadgetphile

      When trying to use a 7-port USB hub (not connected to a computer) to charge a bunch of devices, the hub was being a bit recalcitrant (probably since it saw no host computer), so I put a strip of Post-It note over the center two contacts of my USB plug. That would work in this case too.

  • lvdata

    My android phone asks what I want to do with the USB connection. I DON’T want to unmount the SD card, so mine is set to default to charge only. My old palm pre did that also. Are just Iphones and Windows phones vulnerable? 

    • penguinchris

      You can do near anything you want with a plugged-in Android phone via the command-line ADB program, whether the SD card is mounted or not, though AFAIK it won’t work with non-rooted, locked-bootloader phones.

      So, most people have nothing to worry about, though there are a lot of people that root their Android phones that don’t necessarily understand the security implications. But, why would anyone bother to target that audience in someplace like an airport terminal? You’d get a ridiculously small number of hits that actually allow access.

      • thaum

         No. You need to explicitly turn on debugging on your phone to make adb worked, whether rooted or unlocked or what have you — and even if you are, it’s a simple matter to turn debugging back off if concerned.

  • Spriggan_Prime

    And those ‘do not remove’ tags on your mattress are so the CIA can spy on you.

    In this day and age with WiFi and Bluetooth why would anyone need you to plug in your fairly unsecured mobile device to steal your data? It’s already whizzing through the air like a Wonka bar and Mike TeeVee. Just reach out and grab it.

  • travtastic

    Or you could just get one of these.

    Or one of these.

  • http://profiles.google.com/robjmack Robert Mack

    I fully trust Bacardi, they just want to charge up my night, not grab relevant info from my phone to use in improving their marketing targeting efforts. 

  • http://twitter.com/Listener43 Listener43

    I covered this almost a month ago:
    http://iheardacouplethings.blogspot.com/2011/07/h2o-and-usb.html

    Please, don’t use usb without protection, folks.

  • schadenfreudisch

    be very afraid… all the time