Should you use public cell-phone charging kiosks?

Beware of Juice-Jacking, warns security researcher Brian Krebs. Those cell-phone charging kiosks in airports and other public places amount to an "unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware."


    1. You posted this as I typed “I bet this could be avoided by a custom USB dongle where the Data pins aren’t connected to the host, but trick the phone into knowing everything’s ok (like the minty boost does)”

      And then had to reset my password.
      Great minds think alike!

      1. According to the USB charging spec, shorting the data pins is a signal to the device that it will get up to 1800mA from the port. The same charging spec also say that if there is no data traffic (but the data pins are still intact), the usb2 port should be allowed to deliver up to 1500mA. This because usb2 cables and ports are actually rated to handle as much (normally a usb port only deliver 500mA, in increments of 100, on request).

  1. It’s funny, I was just at the airport a week ago and had the same thought….   people assume it’s just a jack and don’t think “what’s behind it?”.   If I was the TSA I’d be all over that one.   Of course, people preparing to die probably aren’t that concerned about their battery level…

  2. I wouldn’t use the “charging station” at Defcon, but frankly, the risk of a charging station at an airport being malicious is similar to paying for food with a credit card at an airport (either the agent or the machine could be malicious). Buying a coke from a vending machine could also be malicious (it might be a fake poisoned coke). Of course there’s some risk whenever you interact with strangers or strange devices – but there’s usually some minimal vetting to install a device in the secured area of an airport.

    1. That’s what I would have thought, but a friend of a friend used one, and his phone was infected with the Good Times virus and it infected the control circuits of his fridge and made his ice cream go all melty. 

    2. I would compare it closer to using a public access USB terminal with your laptop rather buying a coke or using a credit card. Most phones are configured to transfer data as well as power from the same plug on the phone.

    3. Yes I agree. I mean if I’m boarding a plane it’s usually for an international flight which will take a few hours and my phone will be switched of for the duration. Hence, I don’t really need to charge a phone. On the other hand I may need to make an urgent call and need just that extra bit of juice. Either way I would risk it. I don’t think I have any particularly senstive data.

  3. I wouldn’t use a charging kiosk because they cost way too much money. Better to camp on the floor by an outlet.

  4. P.S. I know the article talks about free charging kiosks. I’ve never seen one of those in an airport.

  5. Public charging kiosks are like open wireless access points in airports.

    Of course, a random guy at an airport (on my way to Defcon, no less,) didn’t understand why randomly picking open wifi is a bad idea after asking how I was on the internet.

  6. I’ve seen way more free charging kiosks at airports that have AC outlets than have USB/data plugs. No fear with the AC!

  7. The techie types that read this blog understand that using an AC adapter between your phone and the kiosk/outlet will prevent any hacking, but I’m sure many non-geek folks won’t realize this, and will now start freaking out after reading this article or hearing the info 2nd hand.

  8. Most that I’ve seen have both regular outlets and USB charging ports. I always opt for the outlet. Some airports DO have free ones- either ad-supported (you have to stare at an ad while you are sitting there) or are installed by the airlines. (Southwest seems to do this a lot.)

  9. I was just in a couple airports with free USB charging kiosks located next to AC wall outlets. I assumed that they are just power supplies, since they’re built into the wallbox and don’t appear to have any room to hold an internal computer.

    Nonetheless, the USB data block is very simple to build, requiring only a jack, a plug and four resistors. Each data line needs 180K to 5V, 270K to gnd.

    1.  For most devices, you do not need even that.  Just the two power lines (gnd and +5), and leave the data lines floating.  Of course, YMMV depending upon the device (iPhone, iPod, etc.).

  10. I don’t get around all that much, but I’ve never had trouble finding an unoccupied AC outlet to plug my own charger into.  I don’t think I’d plug into any old USB connector that was lying around, even if it is at a more civilized waist-level than those barbaric AC outlets near the floor.  I get irritated enough by my phone complaining about being plugged into an “unsupported cable” (which charges it just fine anyway).  The last thing I wanna worry about is whether some scamp is moving data to or from my phone.

  11. Are there *any* public exploits that can get data off a cell phone without any user interaction?  I.e. without someone clicking “mount usb drive” on the phone display.  The *only* reason this story is exists is because some hipster came up with the term “juicejacking” and thought it sounded cool…see also “bluesnarfing” (which affected about 3 nokia phones that were years obsolete by the time)…

    1. When trying to use a 7-port USB hub (not connected to a computer) to charge a bunch of devices, the hub was being a bit recalcitrant (probably since it saw no host computer), so I put a strip of Post-It note over the center two contacts of my USB plug. That would work in this case too.

  12. My android phone asks what I want to do with the USB connection. I DON’T want to unmount the SD card, so mine is set to default to charge only. My old palm pre did that also. Are just Iphones and Windows phones vulnerable? 

    1. You can do near anything you want with a plugged-in Android phone via the command-line ADB program, whether the SD card is mounted or not, though AFAIK it won’t work with non-rooted, locked-bootloader phones.

      So, most people have nothing to worry about, though there are a lot of people that root their Android phones that don’t necessarily understand the security implications. But, why would anyone bother to target that audience in someplace like an airport terminal? You’d get a ridiculously small number of hits that actually allow access.

      1.  No. You need to explicitly turn on debugging on your phone to make adb worked, whether rooted or unlocked or what have you — and even if you are, it’s a simple matter to turn debugging back off if concerned.

  13. And those ‘do not remove’ tags on your mattress are so the CIA can spy on you.

    In this day and age with WiFi and Bluetooth why would anyone need you to plug in your fairly unsecured mobile device to steal your data? It’s already whizzing through the air like a Wonka bar and Mike TeeVee. Just reach out and grab it.

  14. I fully trust Bacardi, they just want to charge up my night, not grab relevant info from my phone to use in improving their marketing targeting efforts. 

Comments are closed.