FBI office warns against using public phone charging stations at airports or malls, citing malware risk

The FBI's Denver office is warning the public against using public charging stations, such as ones you might see at an airport or the mall. 

"Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices," the FBI Denver office tweeted in a general alert. "Carry your own charger and USB cord and use an electrical outlet instead."

There was no specific incident that caused the public service announcement, FBI Denver told CBS News. Rather, it was meant as a field office warning.

"Juice jacking" — a term coined in 2011 — remains a concern, according to the U.S. government. FCC officials warn malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to a criminal. The sensitive information can then be used to access online accounts or be sold to other bad actors. In some cases, criminals may have intentionally left infected cables plugged in at charging stations. 

"The scary part of juice jacking is that you probably won't even be able to tell that your phone is infected with malware after plugging it into a compromised USB port," Matt Swinder, editor-in-chief and founder of TheShortcut.com, told CBS News. 

According to the 2022 USB Threat report by Honeywell Forge, threats designed to propagate over USB or specifically exploit USB for infection rose to 52% over four years. 

"You're much more likely to have your credit card skimmed than be juice jacked, based on the lack of hard evidence of widespread cases," Swinder explained. "As rare as juice jacking is right now, the threats of identity theft have migrated from being purely physical to being primarily digital over the last decade."

While "juice jacking" may be still relatively uncommon, says technology journalist Dan Patterson, it's also "a fairly easy and low-cost hack — especially in airports and other public locations." 

He offers simple advice to follow. "Never use a charger that isn't yours or someone you know," he said. 

Experts who spoke to CBS News say there's always the chance of unreported cases since some may not even be aware of the risks. 

"The FBI is going to have access to intelligence and information that the public — even the broader cybersecurity public — will not have access to," NetRise CEO Thomas Pace told CBS News. 

Their ability to "monitor underground forums, get intelligence from informants and even intelligence from other agencies" provides the FBI with a better understanding into possible threats.

It generally boils down to the age-old tradeoff between usability and security. 

"People want [and] need USB ports in airports and restaurants and just general public spaces, Pace said. "So they are going to continue to exist."

He compared the charging stations and juice jacking to ATMs and ATM skimmers. 

"Are ATM skimmers a problem? Do they exist?" Pace asked. "The answer to both of those questions is yes. Did we remove all ATMs because of it? No, we did not."

So what can be done? 

Like the FBI, the FCC recommends that travelers avoid using a public USB charging station and they use a power outlet instead. Travelers should carry a portable charger or external battery. 

Pace recommends visually inspecting the charger prior to plugging in. If it appears to have been tampered with in some way, don't use it.

He added that people can be careful by using a USB data blocker, a small dongle that adds a layer of protection between a device and the charging point — or as they're unofficially known, "USB condoms." He carries one around with him all the time. 

"Pretty much guarantees you are good to go," he added. 

In:
• Cybercrime
• Cybersecurity and Infrastructure Security Agency
• FBI