News Excerpt:

The Reserve Bank of India (RBI) has issued a cautionary message to mobile phone users advising them against charging their devices using public ports.

Key highlight of RBI cautionary message:

• The RBI’s warning serves as a reminder for mobile phone users to be cautious about their cybersecurity practices and take necessary precautions to protect their personal and financial information from potential threats.
• The warning comes amidst growing concerns over the security risks posed by a cyberattack known as “juice jacking.
• According to the RBI, in today’s digital age, it is crucial for individuals to be vigilant about their cybersecurity. 
• Charging your phone using public ports or conducting financial transactions over public Wi-Fi networks can expose your data to potential threats. 
• It is advisable to use your personal charger and a trusted power source to charge your devices.
• To protect themselves from juice jacking and other cyber threats, mobile phone users are advised to use their personal chargers, trusted power source and avoid connecting their devices to public USB ports. 
• Additionally, using a virtual private network (VPN) and ensuring that devices have the latest security updates installed can help mitigate the risk of cyberattacks.

About Juice Jacking

• The term “juice jacking” was first coined in 2011 by investigative journalist Brian Krebs. 
• It is a form of cyberattack where a public USB charging port is tampered with and infected using hardware and software changes to steal data or install malware on devices connected to it. 
• The attack is used by hackers to steal users’ passwords, credit card information, addresses, and other sensitive data stored on the targeted device.
• Juice jacking attacks can take place in any public place with portable wall chargers, or public USB charging stations found in shopping malls, cafes, and hotels.

How does juice jacking work

• To perform the attack, hackers infect USB ports or charging cables in public areas before the users connect to them. 
• Most attacks target both Android and iOS mobile devices, with older devices being particularly vulnerable due to their outdated software. 
• USB ports have multiple pins, but only one pin is used for charging while the other pins are used for data transfers. 
• When users connect their devices to compromised USB ports, hackers use the connection to hack into mobile devices and steal personal data or deliver malware.
• Juice jacking attacks also target laptop USB ports, which are similarly capable of transferring data.

Types of juice jacking attacks

• Juice-jacking attacks can vary in their impact, even though the method remains the same. The different attack forms include data theft, malware installation, disabling attack, and multi-device attack.
• In a data theft attack, hackers use juice-jacking to steal data from a device. The process is typically fully automated, and hackers often use crawlers to search the mobile device for personally identifiable information. Hackers may also use malicious apps to clone a device’s data to another phone. However, cloning requires additional steps, such as a laptop as an intermediary to charge the targeted device.
• In a malware attack, hackers use charging ports to install malware or viruses on connected devices, which are then used to perform ransomware, spyware, or trojan attacks.
• Meanwhile, in a multi-device attack, threat actors use the connected device to spread malware to other devices it may connect to in the future.
• In a disabling attack, hackers use juice jacking to lock owners out of their devices so that the user can’t access them anymore.

Way forward

• Modern Android and iOS devices disable transfer capabilities when plugged into a USB charging port. 
• Users may see a prompt asking them to “trust” the connected device. 
• Trusting the host device enables data transfers; therefore, users should only grant access to known devices. 
• However, this may not be foolproof as public charging stations can silently enable data transfer once a device is connected.
• Users should disable the option to automatically transfer data when a charging cable is connected to the device. The option is disabled by default in iOS; however, Android users may have to disable this in the settings.
• Users can also turn off their devices before connecting to an untrusted charging port. Additionally, users can use AC power outlets, carry external power banks, and consider using a charging-only cable while travelling to ensure security.