Juice-jacking -- it's a problem, but not because it's a problem
The modern Internet is a hostile place, and smartphones are a rich source of data that can potentially be stolen and abused. So it's no surprise that people are concerned about ways in which villains can exploit their cellphones remotely. The "juice-jacking" scare seems to have started about ten years ago, and enjoyed a brief notoriety before disappearing. Recently, however, it's surfaced again -- warnings are being promulgated in all sorts of places, by people who ought to know better. For example, the DuckDuckGo search engine's blog has a warning about it. I have a lot of time for DuckDuckGo, and I use their search engine all the time. However, a privacy-focused organization like DuckDuckGo really ought to understand technology better than this.
For those who don't know, "juice-jacking" is the alleged practice of using public USB charging stations to get unauthorized access to the contents of user's smartphones. There was a time -- ten years ago -- when there was at least a notional risk that this could happen. If the charging station was, in fact, secretly connected to a computer, then the USB connection could be used for data access, not just charging. It's likely that most smartphone users don't use USB connections this way any more, and don't even realize that a data connection over USB is even possible. It is, though -- some or all of the internal data storage, along with data stored on any SD card, is somewhat accessible. In the Android world there's also the Android Debug Bridge (ADB), which provides even lower-level access to the cellphone's data and configuration.
Over time, however, smartphone manufacturers have not only reduced the amount of data that can be extracted from a USB connection, but also made it harder to establish a data connection without the user's knowledge. All modern iOS and Android phones will warn the user when a data connection is initiated over USB, and require positive action before enabling it. The ADB needs to be enabled generally in the device -- a process that is not well advertised -- and also enabled for each new data connection. So far as we know, "juice-jacking" hasn't been a practical proposition for ten years, and probably wasn't a significant risk even before then.
So why has it become an issue again? Well, frankly, I don't know. The recent scare appears to have started when the Los Angeles County District Attorney's office issued a fraud alert about the practice. According to the DA's office:
"...criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users."
There's no explanation how this might happen and, in fact, it's highly unlikely to be possible. A number of technology journalists contacted the LA County DA's office for an explanation but, so far as I know, none has been forthcoming. Certainly, the DA's office was unable to cite even one specific instance of the practice.
It seems to me that a technologically-inexperienced member of the DA staff got wind of the "juice-jacking" scare from some unknown source, and propagated it, thinking to be doing everybody a favour. Other security-minded organizations picked up on the warning and, lacking any deep technical knowledge, simply propagated it -- again, thinking to be doing us all a favour.
If I were in a cynical mood, I would also wonder whether commercial providers of security products would actually be quite keen to republish a story like this. After all, their business model depends on maintaining a climate of fear and paranoia.
Should we be worried?
Well, yes; but but not because "juice-jacking" is a real threat -- it almost certainly isn't. We should be worried because, in a world where we are subject to all manor of genuine on-line threats, we can't afford to be distracted by bogus ones. The fact is that the typical cellphone user won't have the technical knowledge to assess the validity of a threat -- in fact, very few people will. There's a very real risk of "threat fatigue" in the world of information technology -- if people are bombarded by purported threads from all sides, how can they possibly be expected to take them all seriously?
I notice a large amount of shoulder-shrugging, where on-line security is concerned. It seems that people increasingly think either (a) there's not really a problem or (b) there is a problem, but there's nothing they can do. If we want to prevent this situation getting worse, we really need to avoid propagating camp-fire stories.
