Never charge your Android or iOS smartphone in public places; new malware “juice-jacking”

A new threat has caught the attention of the cybersecurity community in Los Angeles, California. According to the district attorney office, some public USB charging points contain dangerous malware that could infect users’ devices.

The alert, published directly by the Prosecutor’s Office, refers to reports on a technique known as “juice-jacking”, in which a threat actor loads USB cables and public charging stations with malware. Afterwards, they just have to wait for some unsuspecting user to connect their smartphone or tablet to extract data and passwords.

Although researchers and cybersecurity experts have previously shown that this attack is in fact possible, the prosecutor’s office mentions that it has no record of actual juice-jacking cases, although they note that there have been attacks on the East Coast. When questioned about the reasons for launching this security alert even though there are no known cases, a Los Angeles County spokeswoman mentioned that this is an awareness campaign against electronic fraud.

However, not everyone shares the same position as the prosecutor’s office. Security specialist Kevin Beaumont, via Twitter, stated that he has not encountered “a single piece of evidence of this attack in the wild.” The expert adds that, although various proofs of concept have been developed, no similar case has come out of computer security laboratories.

On the other hand, several members of the cybersecurity community emphasize that while such an attack is possible, it is a ridiculously complex and inefficient approach, as there are much simpler ways to compromise information on a mobile device. In addition, most recent smartphones have security measures in place to prevent such attacks, so a juice-jacking attack in the wild would require finding a way too powerful exploit.

Although a technique for extracting data using only a USB cable or charger is not yet known, specialists from the International Institute of Cyber Security (IICS) mention that this is possible in theory, so efforts to develop this attack are not have stopped.

A few months ago, the FBI issued a security alert about this attack following the release of the investigation by Samy Kamkar, a specialist who developed an implant designed to impersonate a USB charger and track security keys.