Juice Jacking cybercrime is in news a lot nowadays, as almost all of us carry smartphones or tablets during out travel, which are charged through USB charging cables. Cybercriminals are using such public USB ports available in places like airports, railway stations, hospitals etc for charging smartphones and tablets, to introduce malware and monitoring software onto users’ devices, posing a serious security threat. This new kind of cybercrime is called “Juice jacking”.
We generally tend to associate charging via USB cable with electricity rather than data, but when you plug your phone into a USB port, it can technically transfer both electricity and data. If it can transfer data, it can be used to do things like steal your personal information or upload malware to your device.
Juice Jacking technique exploits exactly this to steal data from your computing device or infect it with malware. Brian Krebs coined the term juice jacking in 2011 after he conducted a proof of concept attack at a defense conference. Since then there have been many reports of such attacks and in last April 2023, US FBI office warned against using public phone charging stations at airports or malls, citing malware risk.
How does this Juice Jacking cybercrime work :-
When you connect your phone to your computer via USB, it typically gets mounted as an external drive, and you can access and copy files to and from your phone. That’s because, as mentioned above, your typical USB port isn’t simply a power socket but a data channel as well. A typical USB port comprises five pins, only one of which is used for charging. Two other pins are used for data transfer, and the remaining two are used as an attached device presence indicator and the ground, respectively.
You may have seen a prompt on your phone asking you to “trust” the computer you’re connected to. Trusting the host computer enables data transfers. If you choose not to trust the host machine or ignore the prompt, data transfers will not be possible – unless you connect your phone to an infected public charging station.
Infected USB ports can silently enable data transfer modes on your phone once connected. You won’t be prompted and won’t have any indication that this is happening. Once you unplug your phone, you may have had your personal information stolen, and your phone may well be infected with a virus or malware. Then the cyber criminal use the malware to open up a channel to either steal data from device or listen to all the data transmitted from the device or use the device’s computing power for cybercrimes like DDoS attack or bitcoin mining(crypto jacking, explained in previous article) etc.
How to protect oneself from such cybercrimes :-
- Do not use any public USB charging ports to charge your smartphone or tablet or watch etc.
- Carry your own powerbank or charger and charging cable always.
- Disable your device’s option to automatically transfer data when a charging cable is connected. This is the default on iOS devices. Android users should disable this option in the Settings app.
- If your device displays a prompt asking you to “trust this computer,” it means you’ve connected to another device, not simply a power outlet. Deny the permission, though newer programs bypass this option.
- If you have to use the public charging port, turn off your device before connecting to charger and ensure it stays that way till its charged.
- USB passthrough devices, sometimes called USB condoms, are a great way to protect yourself from juice jacking attacks. Its ceap and available at many shopping sites.
- Consider carrying a charging-only cable, which prevents data from sending or receiving while charging, from a trusted supplier.
- If you plug your device into a USB port and a prompt appears asking you to select “share data” or “trust this computer” or “charge only,” always select “charge only.”
If you are a victim of such cyber fraud :-
Immediately call 1930 cyber helpline or file a complaint at cybercrime.gov.in. Complain to the relavent authority about to the issue. If you feel that your Aadhaar and financial details was leaked, then lock your Aadhaar card at uidai.gov.in and block your debit/credit cards and change passwords of your bank accounts. Uninstall new free apps you installed, still in doubt format or factory reset your device.
Remedies available to victim legally(India) :-
Lodge a complaint at nearby cyber or regular police station under :
- Section 378(Theft), Section 424(extract data illegally), Section 425(destruction of property), Section 441(criminal trespass) of Indian Penal Code(IPC)
- Section 43 (Penalty and compensation for damage to computer, computer system, etc), section 66 (punishment for computer related offences – a person committing data theft, transmitting virus into a system, destroying data, hacking, or denying access to the computer or network to an authorized person), section 66C(which prescribes penalties for identity theft and states that anyone who fraudulently or dishonestly uses a person’s identity information) and Section 66D (punishment for fraud by impersonation using computer resources), Section 66E(Violation of privacy) of IT Act 2000/08.