Users get warnings about scams and cyberattacks through emails, texts, and websites. Watch what you click, what you open, and where you surf the Web. Standard security software keeps you and your devices safe from Internet-facing threats.
So, you’re good, right?
Maybe not. On March 5, 2025, the U.S. Transportation Security Administration (TSA) posted a public service announcement on its verified Facebook account: “Hackers can install malware at USB ports (we’ve been told that’s called “juice/port jacking”). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”
The TSA announcement included a reminder about email and social media scams, as well as the dangers of using free public Wi-Fi. These are familiar threats to most users.
What is Juice Jacking?
According to Josh Pauli, professor of cyber, intel, and info operations at the University of Arizona, juice jacking requires attackers to tamper with a public USB charging station to load malicious software that, among other things, require victim devices to allow two-way data transfer. According to Pauli, if the user always clicks “accept” or “yes” to device prompts and requests, this could enable two-way transfer and data theft.
If you connect to a computer, your device may ask if you want to allow data to move back and forth between the two. When you plug your phone or tablet into a USB port on a wall charger or public charging station, your device charges. Public charging stations should not ask you to allow data access.
Juice Jacking Realities
According to Tom Kirkham, founder of Kirkham IronTech, a Fort Smith, AR-based managed security services provider, there have been no confirmed cases of juice jacking in the wild. “There have been lots of academic studies and demos, but no real-world victim reports that pass scrutiny,” said Kirkham.
News reports say the first demonstration of an automated attack using juice jacking took place at the 2013 Black Hat USA conference in Las Vegas. Georgia Institute of Technology researchers built a proof-of-concept malicious USB wall charger. When they plugged a current-generation Apple device running the latest iOS software into it, the charger installed a Trojan Horse application on the device within one minute, without user interaction or jailbreaking the device. The Trojan Horse was a repackaged Facebook app containing a malicious payload.
The fact that researchers demonstrated it in a controlled setting does not mean that an attacker would find it practical. “If you are a target of a nation-state, and they are unable to steal your phone or access your data from a cloud service, then you could potentially be at risk from juice jacking,” said Ashley Allen, senior security engineer at Posit PBC, an open-source software company.
“However,” Allen continued, “the adversary would need you to visit a location they had previously managed to infiltrate and install their equipment. The adversary would also need to use a zero-day vulnerability (that is, one previously unreported) to access your phone via the USB port. There are much easier ways of getting the required access, as tools like the Pegasus spyware from NSO Group demonstrate. These are realistic threats. Juice-jacking is not.”
According to multiple news sources, the NSO Group, an Israeli company, develops advanced surveillance technology, such as its Pegasus spyware, which infects smartphones remotely. Governments, spies, and military units have used Pegasus to track and monitor journalists, activists, and diplomats, uncovering secrets, shaping narratives, and intimidating those who speak out.
Attack Evolution
According to Pauli, a new novel attack could be executed with no user involvement. “That’s the line of thinking with ChoiceJacking in these attacks, where the malware interacts with the device to enable data transfer without the user accepting it,” said Pauli.
ChoiceJacking is a proof-of-concept attack described in a 2025 report by researchers from Austria’s Graz University of Technology and A-SIT (Secure Information Technology Center – Austria). ChoiceJacking allowed a malicious USB charger to autonomously spoof user input and enable data transfer or code execution on 11 Android and iOS devices without user consent. The attack independently took action on the devices as though it was the device user, and stole data or ran malicious software.
ChoiceJacking extracted files successfully from two locked devices. The researchers timed the attacks to occur when the user is least likely to notice unusual screen activity, such as screen flickering. The researchers reported their findings to the affected vendors, and most of them are patching the vulnerabilities.
According to Allen, this form of juice jacking is still impractical. “The [ChoiceJacking] attack (mostly) requires an unlocked device, which gives some mitigation. It’s also likely that users would see the dialogs created on screen. [The researchers] have tried to account for this through using power profiles to determine when a user might not be looking at the screen, but there is no real-world testing of this.”
Allen continued, “The problem with the attack is that it stands a pretty good chance of quick discovery if widely implemented in something like chargers or power banks. I think it may have potential for targeted attacks, but even then, I think there are probably easier ways to compromise the target.”
How to Avoid Juice Jacking
“Juice jacking makes for a great headline, but it’s low on the list of real-world threats. You’re far more likely to get phished than juice-jacked. But hey, if a little paranoia keeps people from plugging into random USB ports, I’m not complaining,” said Kirkham.
It’s still a good habit to avoid plugging anything you’re unsure of into your device.
Kirkham recommends using a private wall plug or charging cable. “Don’t plug into public USB ports, especially if the source looks sketchy. Keep your operating system (OS) updated, and never [agree to] Trust This Computer unless it’s yours,” said Kirkham.
“Trust This Computer” is a security prompt that appears on an iOS mobile device, such as an iPhone, when it’s connected to a computer via USB. On an Android device, a prompt will ask the user to choose between charging or file transfer. When the prompt asks if you want to trust this computer or allow data access, you want to respond in the negative unless you are connecting to your own computer and you want it to access your data. A public USB charging station should never ask you to approve data transfers.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment