I WISH I read this earlier. I was in an Uber the other day and the first thing the driver asked me was use the white wire if you have an iPhone and need a charge. Like a moron I listened but after 15 min the phone looked like it was charging but no increase in battery power and my phone was hot. Never again. Have to change all my passwords.
64
More important how and where can I get a USB condom (authors phrase). I tried The Wirecutter, you can imagine what came up in the search. Same on the LA County article. Poor fact gathering. Don't get everyone worked up if you don't supply a helpful solution.
77
Thanks, but I feel that whatever precautions I take, the hackers are already two steps ahead of me.
30
I bought a portable charger for travel but was disappointed to find that I could not carry it in the passenger compartment of an airplane because it uses a lithium-ion battery.
31
what about if your phone is OFF while charging?
38
I’m reading this from Dublin Airport.
Thank goodness I have my own charger and cord!!
This is good info to know. Thanks NYT.
Susan
Expat in Ireland
18
A narrow piece of tape that covers the 2 middle pins of the 'A' end of your USB charging cable will do. The 'A' end is the long narrow rectangular end that you plug into a power adapter, if you're wondering.
Like so: https://www.instructables.com/id/USB-Condom/
And remember that it's now possible to make a USB cable that can infect your device with malware no matter what it's plugged into. The proof of concept was announced a couple of months ago so maybe such cables aren't common yet, but don't bet the farm on it.
28
Interested that this has been a known threat since demonstrated in 2011 yet is receiving wide publicity in 2019.
14
My Galaxy has Battery that can be changed by removing the back. I carry a spare. The only caveat is to remember to put the dead battery in your phone and charge it when you get home or use a AC outlet charger at your next destination. I also put a small extension cord in my luggage.
7
To all the commenters saying this is merely theoretical....
I travel a lot. Recently I did see a free USB cable at Newark airport. I almost used it. Perhaps someone just forgot it and it wasn’t a risk but, I for one, am glad I know better now.
20
I solved this hacking problem a long time ago by entirely avoiding cell phones and remaining faithful to my old telephone -- the Alexander Graham Bell model -- which is securely attached to the wall of my bedroom by a dependable copper wire.
Another great advantage of my phone is that it is extremely difficult to misplace or lose.
54
@A. Stanton You obviously don't travel.
43
And here I am, not using the USB ports anywhere simply worrying that they may supply incorrect voltage and damage my device. So I use my own USB adapter (Apple) or a portable charger. And I never use “free” public WiFi either, or the WiFi access in hotels or at conferences. Instead, I use my phone as a hotspot. Harder to hack and safer.
27
Lord help us if we ever go to war with China, which at this point produces many of the electronic devices we use daily. The sad fact of the matter is that our leaders have been asleep at the wheel.
78
I simply don't have that much personal information on my phone, unlike the three people I saw at the park staring at their phones oblivious to their surroundings. I suggest if you fear hackers getting into your phone-- you have too much personal info on it.
20
Very hard to take seriously. An explanation of how a USB cable itself can contain malware is missing. That single omission makes this article sound like uninformed alarmism.
39
So now I have to worry every time I use valet parking or have my car serviced that someone can tamper with the USB port in it?
19
Most hotels now have USB ports on the nightstands next to the bed.
But AC outlets are often in inconvenient places so I find myself using the easy to reach USB charging outlet. I may want to rethink that.
43
Great article.
These attacks could be personalized (against a company, an executive or a wealthy person) or be conducted as a fishing expedition so people who say "why shall they target me?" are wrong. They are not being targeted but just choosing to be a target themselves.
13
Its not only USB chargers and cables.
I’ve think one of the best ways to penetrate most of a targeted industries computers would be to set up booths at trade shows under false companies then pass out free keychains with USB memory sticks filled with hidden spyware and hacking surprises. People would grab them up and eventually plug them into their work computers......
I’m also pretty certain once you’ve plugged into that free airport WiFi in a lot of countries.... your device has been penetrated by some state actor.
34
I always travel with one or two name-brand portable phone charging devices. They were relatively inexpensive (about $20 each), and small enough to put in a pocket. Totally eliminates the chance of acquiring malware.
29
It requires some cooperation from your cellphone OS, e.g., Android. Android should pop up a query box asking you if you want to connect as a data port. There might be a default setting in the settings menu, I haven't seen it, but I always see the query box where plugging into a data capable USB port.
Why no mention?
46
How very sad. Scammers, spammers, hackers, robocallers, identity thieves. The list goes on and on. This is what people choose to do with their lives here in 2019. Take away the technology, and it may as well be 1019. Evolution is indeed slower than molasses in January. So grateful to be 71 and childless.
78
There are people who choose to do good with their lives and also some people who do malice regret later on. @Christopher Ross
7
How about just not transmitting sensitive data when connected to an “unsafe” outlet?
1
@Jon Doyle It's not about transmitting data. Malware is getting into the phones. If you re-read the article it talks about "juice-jacking" which I myself just learned about.
43
USB malware exploits fundamental flaws in the USB standard.
Literally no shared USB device / connection can be trusted.
15
airports, which are mostly run by local or regional authorities, have a hand in this. At too many airports, wifi and and charging stations are sold off to private companies. Here's a charming thought... hold these clowns, no scammers, to a higher calling beyond providing overpriced, unreliable, and corrupt service.
33
Why is it even POSSIBLE to load USB cables with malware???
This is unbelievably poor design, and the people who wrote the USB specification have no excuse. It's not like it was written in the 70s when people had no idea that criminals were going to be all over our hardware and software, exploiting any opening they could find. No, it was written in the 90s, when we definitely knew that malware was a thing. So why design USB to be intrinsically insecure? Because the companies pushing it wanted to get it to market as fast as possible, and weren't interested in priorities like security that didn't have an immediate payoff. As a result, everyone has to worry about booby-trapped cables and "cable condoms" from now into the foreseeable future. What an epic fail!
52
@JohnB
Because back in the olden days, you had to physically plug your phone into the car or computer- no bluetooth, no cloud storage.
If you couldn’t read and write through the cable, those things wouldn’t work at all.
11
Gee whiz, do we have to be terrified of absolutely everything in life? Really, what are the chances of such a convoluted scheme? And for what purpose?
28
@Kathy Re-read the article. To get data (like acct numbers and passwords) off your device.
11
This is one of those "as seen on TV" scare stories, as a few
comments have already pointed out. My wife saw one of these reports, so as she looked over my shoulder, in about 10 minutes I ran it down on Google to the status of "when pigs have wings." That is, when a hacker vandalizes an airport charging station to insert prepared USB charging port hardware. Anybody hear of this actually happening?
28
@Charles Packer only at defcon as far as I know.
1
What about Uber drivers who offer charging?
4
You should avoid Uber anyway, for the countless other reasons.
75
@Russell same thing, if its not your chord or power source don't use it.
17
I once had an Uber driver repeatedly insist I charge my phone in his car. He asked so many times, I grew suspicious. That’s when I learned not to use other people’s cables!
94
If paranoia makes you hesitant to plug into public USB ports, just use the transformer cube and plug into an AC outlet. They’re more ubiquitous than USB outlets and completely safe from “juice jacking” because no data can move through the transformer - it’s an induction device. It’s just as easy and perfectly safe.
73
AC plugs free for the taking are not ubiquitous where I live. My experience is that if you have access to an AC plug then you have paid for it one way or another.
6
@Coldnose
Are usb charging ports available where outlets are not? That’s a pretty unusual offering.
4
@Coldnose - I think Archibald was referring to the little cubes (or sometimes rectangles) that have prongs on one end to plug into an electrical outlet, and a receiver for the big end of a USB cable on the other. You plug it into the wall, plug your cable into it, and plug the other end into your phone.
Yes, it does mean you have to carry one around with you, and you normally have to buy your own. They are often $5 or so, plus another few bucks for the cable. I don't see any claim by Archibald that they are free, just that they are safer than the unprotected ports and cables you might find in public places.
26
Way back in 1992 I thought banking on line was crazy! Still do.
31
@nycpat The last time I was inside a bank, the teller was mystified that I would not want to use a banking app on my phone. This is just one more reason that it's not worth the so-called convenience.
36
Went to Amazon and searched on the term "USB condom" to find very few listed. Also searched on "USB data blocker" with a similar paucity of offerings. I did find one "Novelty and Unique Condom Shape 32GB USB 2.0 Flash Drive." What fun?
So now I wonder where the individual quoted in the article found one "for less than five bucks."
For once, I wouldn't have minded a product link in an article!
43
@Coco Pazzo And I'll bet you got numerous hits for actual condoms. Look for "USB Data Blocker." I found a five-pack for $28. I won't buy such a thing. I must be one of the few people left in the world who does not use a cell phone--articles like this one are why.
12
@koyaanisqatsi Extra upvotes for your screen name :)
10
Interesting article, didn’t happen to see any references to it actually happening though. Had it ever occurred?
15
It has happened to me twice at 4 star hotels
outside the US. I got smart after that & use an external battery case on my phone to prevent emergencies during the day.
21
There needs to be a law against juice jacking in public spaces.
8
@Chris who would actually enforce it?
4
First off, I've been seeing these warnings for a decade. Second, there are simple solutions such as only use chargers from a brand name into a plug, and brand name cables. Don't be cheap.
14
I use my phone in a case that contains an auxiliary battery.
When I use USB chargers away from home, I remove my phone and plug the battery case into the charger. This precludes physical access to my phone. The battery case is (so far) too dumb to provide a malware attack point.
55
BYOB now means, bring your own battery.
75
Hacking, installing malware, ransom, revenge porn, etc. ...I have no problem with making it a capital offense.
47
Enjoy the outdoors, or hope for a window seat:
One of many examples:
Solar Charger, Dizaul 5000mAh Portable Solar
9
But the "USB condom" you buy online could also have malware installed.
46
I frequently us a cell/wifi unit, which I purchased from my phone carrier. It enables me to get secure wifi access through my secure cellular phone connection. It also has a built-in phone-charging jack. I will be certain to use this instead of public charging sites when traveling.
Thanks for this helpful article.
22
If I recall the LA warning, they said this was a "warning" about USB charging but they did not have any complaint of any individual actually having a problem.
14
This is fear mongering on the level of bad local news, not going to help Boomers who are already terrified that "hackers" are lurking outside their homes.
32
@w
Maybe because they have something worth protecting? Just kidding
8
@w This is the sort of thing a hacker would say.
17
Just finished the book Scam Me if you Can. The author talks about this issue in the book. That was the first time I had ever heard of the problem. Glad to confirmation of the issue with this NYT article.
53
One more reason to use iPhone .
14
@Khurshid , not really. On Android USB connections default to charging only.
13
Article.. I don't know how often this happens..... Meaning it is likely an urban legend. How about the charging pads? those could be next....
6
Isn't this a rather old scheme?
1
"...they were unsure of how often hacking attacks like these happened..."
What is striking about this article, the LA DA's warning and the wikipedia page for Juice Jacking is lack of assertion that this is anything more than a theoretical problem. Indeed, Wikipedia lists the entities who have proven it COULD be a problem, and there is a lack of evidence that this has happened to any degree that the public should be wary of public charging stations.
If you follow the links through to the earlier NYT article on this topic, it asserts that this phenomena has been "proved at hacker conventions and Seen in the wild". Clicking through to the "seen in the wild" link shows it's actually another article about this concept being proven at a hacker convention, i.e., NOT in the wild.
Is this another Jenkem moral panic? (Google it :) )
This is a "risk", but how much of a Risk is it? There is a "risk" of almost anything happening, and if we tried to avoid every "risk" we would never leave our homes. A cost benefit analysis concerning preventative measures is impossible without some clue about the extent of the problem.
34
In this business if you can imagine it somebody is already working on it.
10
@Stevenz
Working on what? This was discovered in 2011, it is apparently still hypothetical.
1
At the airport, in my room at the Hilton/Hyatt/Marriott, on board my Delta/JetBlue flight, I’ll take my chances. But thank you for caring.
8
Bring a small charger battery. Pass the airport charger through that, charging it up as it charges your phone.
The malware has nothing but a battery to talk to, and they are very dull conversationalists.
133
Are Apple OS devices, e.g., iPhone, iPad, vulnerable to this type of attack also? G
3
I found that carrying two Dixie cups and several miles of string is a great option.
254
@Paul King
Ah! What an innovative idea... But 2 tin cans an a large roll of wire provides a clearer connection.
88
@LT Thank you for the laugh!
7
I don't know about this.
"Though Mr. Arsene and Professor Sekar said they were unsure of how often hacking attacks like these happened, the growing ubiquity of USB charging ports in places like hotels, airports and public transportation has translated into an increased risk of falling victim to such scams."
I think that because there are so many charging and that they would have to be physically tampered with the odds of running afoul must be very long.
OMG I think I have to check the charger in my luggage, which is just another thing keep charged, for bugs and where I charge that from. I don't really have luggage as absurd as that.
If juice jacking involves USB ports and/or wired connections, does that mean wireless charging is safe?
8
@Josh
Yes, wireless charging doesn't use the USB port to charge the battery, wireless charges use something called inductive charging, there is no data connection when doing that. The problem is that with USB, people are using cables that also can transmit data, if people had usb charging only cables this wouldn't happen (or if you basically insulate the charging pin in the cable when charging the phone).
14
Grateful for my Away carry-on that comes with its own battery pack so I don't have to use janky airport ones.
7
@ladyfootballfan
You won't of course be allowed to carry on this suitcase unless you can remove the battery. Which then would make it exactly equivalent to any other portable battery you might carry.
7
@ladyfootballfan Those bags are prohibited from being carried on any plane.
3
Ever since hearing about this a few years ago I travel with a large power bank. It weighs a couple pounds but it’s piece of mind. Added bonus is no worries about finding a place to charge. The power bank was around $35 and will recharge my iPhone X 5+ times, I’ve never needed to charge it more than that. I just recharge the power bank at the hotel if need be but often I don’t need to for trips shorter than a week. The only downside is planning, the power bank takes nearly 24 hours to fully charge so it’s not something I can plug in at midnight when I’m finishing up packing for an 8am flight.
29
@Elizabeth Wow - First world problems - Not having 24 hrs to charhe your power bank - because you forget.
8
It seems kind of ironic that we need all this heavy equipment with our state-of-the-art ever-so-convenient phones. Where’s our “market power”? Why can’t we get useful, efficient, light phones?
5
Are you really so far away from electrical outlets for long periods of time? As the article says a simple charger (weighs 2 oz.) does the trick with no risk.
8
So is this actually a problem? It is unclear from the article is this is an actual problem or a theoretical one. Not a single reported incident is mentioned, nor are any statistics on how many times it has been reported to authorities or security companies.
181
What about using the USB connection in a rental car for Google Maps?
7
probably covered under "if the attacker has physical access." In other words, if a hacker had access to the car before you did, it's possible.
16
@Jeff A. Sure, if you trust all the rental employees.
8
I bought a PortaPow 3rd Gen USB Data Blocker. Seven bucks. Works like a charm. You can get them on Amazon, at Walmart, from Newegg, and probably a few other places. Easy to use and does the trick.
56
@GreenGene This is basically just a device that removes the middle pins (data pins) from usb. I've made my own, and re-wrapped the cut wires with Sugru to provide a sturdy connection. Either way, excellent idea.
15
This is why I insisted that my most recent phone purchase was one with a removable battery. I always carry a spare battery, fully charged, and a charger that recharges the battery out of the phone. If I run out of power, I can swap batteries and, upon finding an outlet, recharge the dead battery without ever attaching my phone to any suspicious cables.
Simple precautions can save a great deal of hassle.
83
@michaelscody This must have severely limited your phone options? You could instead get a USB power bank and use that with any phone you'd like.
11
@Steve P Not really, I got one from LG that did everything I wanted. The removable battery also comes in handy if the phone freezes, as disconnecting and reconnecting it resets everything.
8
Would turning a phone off before charging help at all?
34
@Steve :O Phones often automatically turn on when charging. Unless, does anyone know if there's a setting to disable that?
9
No.
Take it from me, I protect IT for a living.
2
Hackers are motivated by illegally profiting from users made vulnerable by technology that is designed to exploit the people that own them.
I have a Samsung Galaxy S9, 14 months in use, bought new.
I use every battery optimization setting available to me.
One email sent through gmail....a plain text sentence of perhaps twenty words drains 3 percent of my battery charge.
The bulk of the current draw is Google and 3rd parties trying to glean my data.
I agree...do not by any means, charge from a supply not owned by you.
Be aware, Google, Samsung, and the rest of big tech isn't going to help. They only make it easy for the hackers.
50
@Bill
other best practices include:
keeping up with updates, and discarding phones that cannot be updated; restarting one's phone daily; resetting to factory settings once a year; don't buy grey market cords.
symptoms are usually minor that one has been hacked, sometimes it's a battery that drains a bit longer, sometimes its a bit higher data usage than previous.
access points and connections are gateways to hacking;
remember: if it can be powered on, it can be hacked.
5
@Bill That's abnormally high battery drain, its not a result of apps pulling your data. Let a tech savvy teenager take a look at it.
13
@Bill Check your locations settings and turn off only the ones that are absolutely essential. They are the biggest battery drain.
3
One thing that is helpful in Android is to set the default behavior for USB connections to "Charging Only".
This is an option in the Developer Menu, which requires some legwork if you don't already have it activated.
1. Open the Settings app.
2. Select System.
3. Scroll to the bottom and select About phone.
4. Scroll to the bottom and tap Build number 7 times.
5. Go back to Settings and scroll to the bottom to select Developer Options.
6. Tap Default USB Configuration and select "Charging phone only"
156
@Virgil Soames
Yeah and on iPhone, a prompt comes up saying "Do you trust this computer?" Just say no.
This was not a very good article, these tips should have been included.
112
@Virgil Soames It sure would be nice to know what version and phone you were on.
I followed your instructions precisely, and they failed at #2.
There is no "System" item. If it is something else, why not spell it out exactly as it appears in the menu?
So typical for these series of explanations, over half the time they aren't for the current version, or the item has been moved to a different menu.
7
@Virgil Soames On my Android if I connect my phone to another device via USB I can then set USB options. Settings -> Connected devices -> USB. It gives options for "USB controlled by" and "Use USB for". The defaults are already "This device" and "No data transfer". Of course if I actually wanted to transfer files from my phone I would have to change these settings.
9