Los Angeles DA issues 'juice-jacking' malware warning without cause

Cal Jeffrey

Posts: 4,154   +1,416
Staff member
The big question: Officials in Southern California have issued an advisory declaring public smartphone charging stations unsafe. It believes the convenient plug-in kiosks could infect users with malware. However, it has no instances to point to where this has happened. So are they just crying wolf, or is there a real threat here?

On Friday, the Los Angeles District Attorney’s Office issued a warning to travelers not to use public USB charging stations as their devices could get infected with malware that steals their data or locks up their phone.

“In the USB Charger Scam, often called ‘juice jacking,’ criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users. The malware may lock the device or export data and passwords directly to the scammer.”

It’s a pretty scary warning, but was it really necessary? Maybe not.

The advisory seems to have been dreamt up for a fraud-education campaign the office has been conducting called #FraudFriday and does not have any basis in real-world events.

The LA Country DA’s office, when asked, admitted that it had not encountered any instances of someone’s device being infected through a charging station in Los Angeles. It told TechCrunch that there were cases on the east coast of the US, but could not provide any details such as locations or dates that could be corroborated.

Furthermore, security researcher Kevin Beaumont said in a tweet that he had never seen evidence that malware has been used on public charging stations. Digging into the subject a little deeper, TechSpot could not find any instances or reports where this has happened either.

That is not to say that the possibility does not exist. Several researchers have developed and demonstrated modified or cloned chargers and charging cables that can sniff data or execute commands on a device remotely, but these have all just been proof-of-concept projects.

It is also not the first time that authorities have issued a advisory on similar grounds. Back in 2016, the FBI issued a warning after security researcher Samy Kamkar demoed his KeySweeper proof-of-concept. It was an Arduino board small enough to fit inside the case of a USB charger and was capable of logging keystrokes from wireless Microsoft keyboards.

The bottom line is that more than likely, you are safe using a public charger — at least for now. Frankly, there are just easier ways to accomplish the same task that don't involve tampering with private property in a highly secured facility or leaving suspect devices behind with cameras watching your every move.

That said, it never hurts to be vigilant and carry a wall charger with you when you travel. Most people probably already do, but it often ends up staying in the luggage.

Permalink to story.

 
Sounds like the poor fellow is coming up for election and needs a little "juice" for his campaign!
 
Why would a station designed strictly for charging need use of data pinout? Without the use of data pinout there would be no risk of compromising security.

A malicious installation wouldn't need data pins for charging but to deliberately infect your device.
 
A malicious installation wouldn't need data pins for charging but to deliberately infect your device.
I'm not following completely.

Data transmission is needed to infect a device. I would hope it is impossible to transmitted infectious data through power system. Otherwise having independent power and data would be pointless.
 
I'm not following completely.

Data transmission is needed to infect a device. I would hope it is impossible to transmitted infectious data through power system. Otherwise having independent power and data would be pointless.
If you're using a standard USB cable that includes wires and pins for data, I see no reason that a maliciously designed charging station couldn't use those to infect your machine. Remember that anything attached to a USB cable could pretend to be a keyboard or a memory stick.

That doesn't mean that anyone has actually released any of these things into the wild. This article is calling it Juice-jacking, but I've previously heard it referred to as BadUSB. Try searching for that on the web.
 
I see no reason that a maliciously designed charging station couldn't use those to infect your machine.
My point is the station shouldn't be designed to use data pins. I mentioned as much in my first comment. Then the only way for infection would be for someone to physically modify the charging station. Modify by adding a malicious component to the data pins. That would be far less likely to happen.
 
There are so many devices which can operate through home wiring, (Alexa included), it isn't to hard to imagine that data could be transmitted through USB power terminals, however incorrect that assumption might be.

Let's coin a term for it. How about, "Millennial smartphone paranoia syndrome"?
 
They do make a small device that you can put on your phone and plug the cable into it. I always called them cable condoms.These don't have the data pins in them so no data can be transferred.
 
My point is the station shouldn't be designed to use data pins. I mentioned as much in my first comment. Then the only way for infection would be for someone to physically modify the charging station. Modify by adding a malicious component to the data pins. That would be far less likely to happen.

You missed my phrase "maliciously designed charging station". In other words intended from the start to infect devices that charge from it, or deliberately modified to perform that function.

If you don't think that's possible then look at all the instances of ATMs and digital gas pumps that have been illegally modified to collect credit card numbers and PINS.
 
If you don't think that's possible.
I didn't say it wasn't possible. I said it was way less likely to happen.

look at all the instances of ATMs and digital gas pumps that have been illegally modified to collect credit card numbers and PINS.
Are we comparing low success rates to high success rates? Card readers would have near 100% payout success rate. I do wonder what the chances of success would be by infecting phones. Especially when considering, people that are not low income usually have their own charging methods.
 
Or, do I want a smartphone with a charging-only USB port?
Perhaps,but then you would need an additional data enabled USB port.

Which Apple would almost certainly find an excuse to remove in short order. Citing "waterproofing" concerns springs immediately to mind.

And then of course, they would offer an expensive, "wireless data transfer adapter", which would, of course, only work with Apple computers.

Don't believe me? I offer justifying the removal of the headphone jack, (citing "waterproofing concerns)", as a precursor to the new data transfer tech,.

OK, so I'm more than a bit paranoid of Apple's business practices. But then again, who isn't? :eek:
 
They do make a small device that you can put on your phone and plug the cable into it. I always called them cable condoms.These don't have the data pins in them so no data can be transferred.
Oops, I left it in my other pants pocket, or was it my other suit jacket? :confused:

Or maybe, "oops I left it in the airport charger," now a thousand miles away
 
Last edited:
"Southern California"

That's all I need to hear. The cockroaches have simply reared their ugly heads again, complaning of non existent problems while real issues are allowed to run rampant. Just another day in California.
 
People should be more worried about the WiFi hotspots they connect to in public places and what can be done over an open network.
 
Alternative approach: Find a good old AC outlet and plug in your standard charger -- they're small enough to not be a burden to the traveler.

And YES, it's possible to find an AC outlet at airports
 
Back