What you should know about Juice Jacking, an attack that compromises your file via USB

Recently, Juice Jacking, a ‘renewed’ wave of cyberattack, has been the centre of conversation across social media platforms.

While the way Juice Jacking operates creates chances to compromise files and sensitive digital materials, it reminds us of how fraudsters continue to deploy new tactics.

There have been debates about its modus operandi: how it steals data using a ‘disguised’ power bank, and the type of file it can access. Most importantly, there were concerns about whether it’s possible that the device can unlock a phone or system.

With the guidance of two resource individuals, Jude Ozinegbe, Founder of Cyberchain and Mukaila Temitope Olajumoke, a cybersecurity practitioner, this article will provide a comprehensive explainer on all you should know about Juice Jacking.

Juice Jacking: not new 

Juice jacking is a potential attack where a malicious charging station, usually a port cable or USB device, is used to compromise data. Fraudsters simply compromise data by installing malware via the charging. While a phone displays charging, Juice Jacking operates beyond mere charging. 

“It happens when a charger, power bank, or cable has been tampered with. Instead of just giving your phone power, it also opens a data connection. And if your phone allows it, information can move from your phone to someone else quietly—no noise, no warning,” Jude said.

He pointed out that Juice Jacking can easily occur in Nigeria as people charge phones anywhere (most especially in public places) due to the epileptic power supply. 

Notably, the suspicious power bank cannot be easily detected, they are like a normal power bank. Both experts said the power bank looks clean, and nothing outside will tell you it’s bad.

While the attacks seem to be gaining attention lately, Temitope noted that Juice Jacking is not a new attack. She explained that the attack became prominent recently due to the widespread use of Android smartphones and Type-C charging ports. 

“It’s not new now, it’s becoming rampant. People are getting to know about it recently, but it has been out for a while. And the adoption of type C cord makes it more vulnerable,” she added.

The user is in control 

Addressing concerns over who is in control of how Juice Jacking works and accessing data on the phone, Temitope noted that the phone owner is still in control. And that control comes into effect when a user decides whether to ‘charge only’ or ‘allow transfer of files.’

“When you connect your phone, a prompt displays to select charging or to transfer the file. So you’ll be the one to make the decision,” she added. 

A prominent concern is whether the charger (connected to the ‘disguised’ power bank or charger) can really unlock a phone itself. Both experts noted that this is impossible. 

Jude described the expression as a plain exaggeration. He said the attack does occur with given permission and is a normal human behaviour process. He emphasised that the risk is not that the charger or attacker is smart, it’s that we’re often in a hurry.

“The problem starts when you unlock the phone yourself. You’re charging, you unlock to reply to a WhatsApp message, check your account balance, and scroll through Instagram. Then one message pops up: “Allow data access?” You don’t read it. You just tap “OK.” Jude noted.

Temitope also mentioned that the attack works based on access. And without giving it access, it can not do the work on its own.

“The attack itself needs a host, which is you. You need to give it access to your data. So it cannot work on its own.” She added that “it cannot unlock the phone unless you unlock your phone.”

Also Read: Here are 7 habits that compromise your personal and data safety online.

What type of data can Juice Jacking compromise?

Once a phone is unlocked and access is gained, the attacker can access contacts, photos, documents, phone information, and other non-encrypted files. In some extra cases, the attacker can install spying software on the phone. 

Jude noted that fraudsters’ main gain is to access financial information, especially in a country like Nigeria. 

“Banking apps, fintech wallets, crypto, email, OTP alerts—everything is on one phone. Once that phone is compromised, your money and accounts can be at risk.”

“That’s when stories start like, ‘I just woke up, and money was gone.’ starts flooding everywhere, but you forgot when you plugged in an unsuspecting rogue charger, power bank, or cable to your phone,” he added.

In addition, Temitope explained that the risk of Juice Jacking is very low because it needs a user to unlock the phone and also allow access beyond mere charging. She said it is also very low for people using the latest Android OS version and iOS. 

Preventive measures

Instead of trying to inspect chargers, experts highlighted the following preventive tips to avoid falling victim to Juice Jacking.

• Avoid public USB charging ports when you can.
• Plug into wall sockets with your own charger head.
• Carry your own power bank.
• Use charge-only cables (they don’t pass data), carry a spare cable.
• Avoid public charging ports such as bus terminals or trains. 
• Disable auto-unlock features. If there are features that, once they are on, your device will unlock itself, turn them off.
• Keep your phone locked while charging
• Stop tapping “Allow” without reading 
• If you’re not sure about the charger, just say, “I’ll charge later,” and put your phone on the battery saver.

While Juice jacking is not yet a rampant attack, it’s gaining prominence. The preventive measures are essential. Think of it like ATM rules. You don’t collect an ATM card from a stranger just because you’re in a hurry.