Juice Jacking Returns: New Threats and Preventive Measures

TL;DR

Juice jacking, a cybersecurity threat involving malicious USB charging stations, has resurfaced with a more sophisticated attack called ChoiceJacking. While the risk remains theoretical, taking preventive measures can enhance security. The TSA and other agencies warn against using public USB ports and Wi-Fi for sensitive activities.

Juice Jacking: A Resurgent Threat

Juice jacking, a cybersecurity concern that periodically resurfaces, has again become a topic of discussion this spring. A new, more advanced form of this attack, known as ChoiceJacking, has emerged, raising concerns among travelers. But how significant is this threat?

Understanding Juice Jacking

Juice jacking involves attackers using malicious public USB chargers to install malware or steal information from connected devices. Typically, victims plug their phones into USB charging ports in public places like airports or restaurants. The compromised charger then initiates a data connection, potentially allowing the attacker to access files or control apps on the device.

Both Apple and Google incorporated basic protections against juice jacking into their operating systems years ago. These updates require user approval for any USB-initiated control requests. However, recent research has revealed vulnerabilities in these defenses.

ChoiceJacking: A New Variant

Researchers have discovered a method to bypass existing protections, introducing a new variant called ChoiceJacking. As reported by Ars Technica, this exploit, developed by researchers at Graz University of Technology, mimics user interactions to gain control of the device¹.

Government Warnings

Government agencies continue to issue warnings about juice jacking. Recently, the TSA posted a warning on Facebook, advising travelers to avoid direct USB connections at airports and to use TSA-compliant power bricks or battery packs instead².

Other agencies, such as the FBI and the LA County District Attorney’s office, have also issued warnings in the past. Researchers have been highlighting this threat since 2011, with demonstrations at conferences like Defcon showcasing the potential risks³.

Real-World Impact

Despite these warnings, there have been no documented real-world juice jacking attacks. The FCC and Malwarebytes have not found any instances of such attacks⁴. However, the theoretical feasibility of juice jacking means it remains a potential risk.

Preventive Measures

To protect against juice jacking, consider the following steps:

• Use USB Cables Without Data Pins: These cables prevent data transfer, though they may interfere with charging on some devices.
• Power Down Before Plugging In: Turn off your phone before connecting it to a public USB port.
• Carry a Portable Charger: Use your own portable charging battery to avoid public USB ports altogether.

Avoiding Public Wi-Fi

The TSA also advises against using public Wi-Fi, especially for sensitive activities like online purchases. While HTTPS has mitigated some risks, using a VPN or cellular data can provide additional security⁵.

Conclusion

While juice jacking remains a theoretical threat, taking preventive measures can enhance your cybersecurity. Staying informed and cautious can help protect your devices and data from potential attacks.

Additional Resources

For further insights, check:

• Ars Technica: iOS and Android juice-jacking defenses have been trivial to bypass for years
• TSA Facebook Warning
• FBI Denver Tweet

References

1. Ars Technica (2025). “iOS and Android juice-jacking defenses have been trivial to bypass for years”. Ars Technica. Retrieved 2025-06-03. ↩︎

2. TSA (2025). “TSA Facebook Warning”. Facebook. Retrieved 2025-06-03. ↩︎

3. Defcon (2011). “Juice Jacking Demonstration”. Defcon. Retrieved 2025-06-03. ↩︎

4. FCC (2023). “Juice Jacking Tips to Avoid It”. FCC. Retrieved 2025-06-03. ↩︎

5. Malwarebytes (2025). “Use a VPN”. Malwarebytes. Retrieved 2025-06-03. ↩︎