Juice-Jacking: Watch Where You Charge Your Smartphone

NEW YORK (MainStreet) — People who plug their phones into random charging stations may be in for an unpleasant surprise.

Every time they connect to charging kiosks that use USB cables, they run the risk of having the data on their phones lifted by the person or company who runs the kiosk, according to a post by Brian Krebs, a cybercrime expert, on his blog Krebs on Security.

As Krebs points out, three security researchers recently built a charging kiosk specially designed to download the photos and contacts stored on smartphones that connected to it, in order to educate consumers about the risk. This hack has been labeled juice-jacking for being the digital equivalent of getting carjacked.

To understand how this works, think about the way you normally charge your smartphone at home. You can either plug the phone into a wall outlet using a power cord or you can connect it to a computer with a USB cord, which not only charges the phone but lets you transfer data to and from the computer.

The problem, according to Krebs, is that smartphone owners don’t realize that charging their smartphone with a USB cable elsewhere leaves the phone open to the same kind of data connection they make at home, except with devices that do not belong to them, and if the wrong person or company runs it, your data could be in jeopardy.

“Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon,” Krebs wrote, noting the event where the researchers tried out their modified kiosk. “But some people will brave nearly any risk to power up their mobiles.”

As a general rule, Krebs recommends only using a power cord to charge your phone when outside your home or office, since these cords do not transmit data from the phone. If you only have a USB cable on you, Krebs suggests turning off the phone before you charge it, as the researchers found that data is not susceptible this way. Other security experts also suggest tweaking your settings to require a password in order to transmit data.