London Daily

Focus on the big picture.
Thursday, Jul 10, 2025

FBI warn about the dangers of using public USB charging stations

FBI warn about the dangers of using public USB charging stations

Travelers are advised to avoid using public USB power charging stations in airports, hotels, and other locations because they may contain dangerous malware, the Los Angeles District Attorney said in a security alert published last week.

USB connections were designed to work as both data and power transfer mediums, with no strict barrier between the two. As smartphones became more popular in the past decade, security researchers figured out they could abuse USB connections that a user might think was only transferring electrical power to hide and deliver secret data payloads.

This type of attack received its own name, as "juice jacking."

Across the years, several proofs-of-concept were created. The most notorious is Mactans, presented at the Black Hat 2013 security conference, which was a malicious USB wall charger that could deploy malware on iOS devices.

Three years later, in 2016, security researcher Samy Kamkar took the concept further with KeySweeper, a stealthy Arduino-based device, camouflaged as a functioning USB wall charger that wirelessly and passively sniffs, decrypts, logs, and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.

Following Kamkar's release of KeySweeper, the FBI sent out a nation-wide alert at the time, warning organizations against the use of USB chargers and asking companies to review if they had any such devices in use.

Also, in 2016, another team of researchers developed another proof-of-concept malicious USB wall charger. This one could record and mirror the screen of a device that was plugged in for a charge. The technique become known as "video jacking."



The LA District Attorney's warning [PDF] covers many attack vectors, because there's different ways that criminals can abuse USB wall chargers.

The most common way is via "pluggable" USB wall chargers. These are portable USB charging devices that can be plugged into an AC socket, and criminals can easily leave some of these behind "by accident" in public places, at public charging stations.

There are also USB chargers encased directly inside power charging stations installed in public places, were the user only has access to a USB port. However, LA officials say criminals can load malware onto public charging stations, so users should avoid using the USB port, and stick to using the AC charging port instead.

But the LA DA's warning also applies to USB cables that have been left behind in public places. Microcontrollers and electronic parts have become so small these days that criminals can hide mini-computers and malware inside a USB cable itself. One such example is the O.MG Cable. Something as benign as a USB cable can hide malware nowadays.


Taking all these into account, LA officials recommend that travelers:

Use an AC power outlet, not a USB charging station.

Take AC and car chargers for your devices when traveling.

Consider buying a portable charger for emergencies.

But there are also other countermeasures that users can deploy. One of them is that device owners can buy USB "no-data transfer" cables, where the USB pins responsible for the data transfer channel have been removed, leaving only the power transfer circuit in place. Such cables can be found on Amazon and other online stores.

There are also so-called "USB condoms" that act as an intermediary between an untrusted USB charger and a user's device.

Two such devices are SyncStop (formerly known as USB Condom) and Juice-Jack Defender. Many others also exist, and at one point, even Kaspersky researchers tried to build one -- called Pure.Charger -- but their Kickstarter fundraiser failed to raise the needed funds.

Update, November 15: After the publication of this article, there has been a wave of criticism from security researchers and the cyber-security community, who did not believe the LA DA's security alert was adequate, as there have been no known cases of "juice jacking" incidents detected in the real world, and beyond experimental work presented at security conferences. Furthermore, many have pointed out that since the first juice jacking demos back in 2013, both Android and iOS have now incorporated popups in their user interface to alert a user when a USB port is attempting to transfer data, rather than just electrical power.

US authorities usually issue security alerts based on reports and threats they see in the real world. After failing to respond to a phone call yesterday, the LA DA told fellow tech news site TechCrunch today that the security alert was part of an educational campaign, and not based on juice jacking attacks they've detected in the wild. The original LA DA advisory is still labeled as a "fraud alert" and "PSA" on the LA DA's website, though, with no evidence this is part of an educational campaign. However, the advice given to travelers is in no way bad or incorrect, and users should follow it.

Newsletter

Related Articles

0:00
0:00
Close
Severe Heatwave Claims 2,300 Lives Across Europe
NVIDIA Achieves Historic Milestone as First Company Valued at $4 Trillion
Declining Beer Consumption Signals Cultural Shift in Germany
Linda Yaccarino Steps Down as CEO of X After Two Years
US Imposes New Tariffs on Brazilian Exports Amid Political Tensions
Azerbaijan and Armenia are on the brink of a historic peace deal.
Emails Leaked: How Passenger Luggage Became a Side Income for Airport Workers
Polish MEP: “Dear Leftists - China is laughing at you, Russia is laughing, India is laughing”
BRICS Expands Membership with Indonesia and Ten New Partner Countries
Weinstein Victim’s Lawyer Says MeToo Movement Still Strong
U.S. Enacts Sweeping Tax and Spending Legislation Amid Trade Policy Shifts
Football Mourns as Diogo Jota and Brother André Silva Laid to Rest in Portugal
Labour Expected to Withdraw Support for Special Needs Funding Model
Leaked Audio Reveals Tory Aide Defending DEI Record
Elon Musk Founds a Party Following a Poll on X: "You Wanted It – You Got It!"
London Stock Exchange Faces Historic Low in Initial Public Offerings
A new online platform has emerged in the United Kingdom, specifically targeting Muslim men seeking virgin brides
Trump Celebrates Independence Day with B-2 Flyover and Signs Controversial Legislation
Boris Johnson Urges Conservatives to Ignore Farage
SNP Ordered to Update Single-Sex Space Guidance Within Days
Starmer Set to Reject Calls for Wealth Taxes
Stolen Century-Old Rolls-Royce Recovered After Hotel Theft
Macron Presses Starmer to Recognise Palestinian State
Labour Delayed Palestine Action Ban Over Riot Concerns
Swinney’s Tax Comments ‘Offensive to Scots’, Say Tories
High Street Retailers to Enforce Bans on Serial Shoplifters
Music Banned by Henry VIII to Be Performed After 500 Years
Steve Coogan Says Working Class Is Being ‘Ethnically Cleansed’
Home Office Admits Uncertainty Over Visa Overstayer Numbers
JD Vance Questions Mandelson Over Reform Party’s Rising Popularity
Macron to Receive Windsor Carriage Ride in Royal Gesture
Labour Accused of ‘Hammering’ Scots During First Year in Power
BBC Head of Music Stood Down Amid Bob Vylan Controversy
Corbyn Eyes Hard-Left Challenge to Starmer’s Leadership
London Tube Trains Suspended After Major Fire Erupts Nearby
Richard Kemp: I Felt Safer in Israel Under Attack Than in the UK
Cyclist Says Police Cited Human Rights Act for Riding No-Handed
China’s Central Bank Consults European Peers on Low-Rate Strategies
AI Raises Alarms Over Long-Term Job Security
Saudi Arabia Maintains Ties with Iran Despite Israel Conflict
Musk Battles to Protect Tesla Amid Trump Policy Threats
Air France-KLM Acquires Majority Stake in Scandinavian Airlines
UK Educators Sound Alarm on Declining Child Literacy
Shein Fined €40 Million in France Over Misleading Discounts
Brazil’s Lula Visits Kirchner During Argentina House Arrest
Trump Scores Legislative Win as House Passes Tax Reform Bill
Keir Starmer Faces Criticism After Rocky First Year in Power
DJI Launches Heavy-Duty Coaxial Quadcopter with 80 kg Lift Capacity
U.S. Senate Approves Major Legislation Dubbed the 'Big Beautiful Bill'
Largest Healthcare Fraud Takedown in U.S. History Announced by DOJ
×