Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
|
Key Takeaways: Juice jacking |
|
If “juice jacking” brings to mind visions of smoothie bandits swiping fruit cocktails, then buckle up. The digital jungle is about to throw you a curveball. Juice jacking, the act of exploiting public USB charging stations to plant malware or steal data, isn’t your typical scam. And it’s made an alarming comeback in 2025.
But is juice jacking just another over-hyped threat?
If you’re asking, it begs a bigger question: can you trust that public outlet at the mall, airport, or cafe?
Is it safe to use public charging?
The short answer is, probably not.
As it stands, the threat of juice jacking remains theoretical for most users in 2025.
Despite new warnings from the TSA, there aren’t any publicly documented cases of widespread juice jacking campaigns in the wild.
Here’s why: Modern iOS and Android operating systems (OS) have security features that require your explicit approval before your device can initiate USB data transfers.
This means that, while highly targeted attacks may be possible, typical users face a relatively low risk from juice jacking.
But is it safe to use public charging?
Thanks to built-in security features in today’s smartphones, the risk of unauthorized access is low but not zero.
TSA guidance makes it clear: Vigilance goes a long way, especially in high-risk environments like airports, restaurants, and hotels. It’s best to use your own wall charger, portable power bank, or USB data blocker (“USB “condoms”) to avoid data theft.
How does juice jacking work and is juice jacking a real threat?
Juice jacking is where public charging stations or USB cables are modified to install malware or steal data while your phone is being charged.
The threat first came to light at the 2011 DEF CON hacker conference, when security researchers Brian Markus, Joseph Mlodzianowski, and Robert Rowley from Aries Security placed a malicious charging kiosk in the infamous “Wall of Sheep” area.
This live demonstration zone (now part of the Packet Hacking Village) was where security researchers displayed anonymized data captured from attendees who engaged in poor security practices. Chief among the mortal sins was NOT using encryption to protect plaintext passwords.
So, the “wall” was a literal projection or display showing this captured data. In recent years, it has captured everything from romances gone wrong to a security leader’s bank statements and unpublished book exposed to all DEFCON volunteers - just by not using SSL/TLS.
During the three-and-a-half-day conference, over 360 attendees (including seasoned hackers and security professionals), plugged their phones into the “Free Cell Phone Charging Kiosk.”
And here’s the irony. The creators even included a message warning users not to trust public charging stations:
“You should not trust public kiosks with your smartphone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
Many attendees, however, seemed unfazed, with one proclaiming, “I don’t care, take my data, I need my phone charged to make a phone call!”
This demonstration was the first public proof that, even in a hyper aware environment, urgency and convenience can override self-preservation.
It's a classic case of optimism bias. People often believe bad things won’t happen to them, even when they know the risks.
BUT no one had a name for this threat until security journalist Brian Krebs called it “juice jacking.” Since then, it has gained ongoing attention in our mobile-first society.
In 2016, Aries Security took juice jacking to a new level with “video jacking” at DEF CON. The “attack” used custom hardware within a USB charging station to split a phone’s video display and record everything someone does on screen, from sending texts and emails to typing in passwords, PINs, and account numbers.
For the researchers, building a video jacking rig was neither costly nor complex. It took only $220 worth of readily available parts that could be purchased anywhere.
According to Krebs on Security, most everyday users likely won’t encounter video jacking in routine life, especially if they don’t plug their phones into random USB outlets. However, those in sensitive occupations - handling trade secrets and intellectual property - could face a possible risk at locations like niche trade shows or conventions.
That said, is juice jacking a real threat in 2025? The research shows that:
- Most demonstrations of juice jacking have occurred only in controlled, academic settings (like DEF CON), exploiting vulnerabilities that have since been patched by smartphone manufacturers.
- To succeed, a real-world juice jacking attack would require the attacker to set up hardware in a public space, use rare Zero Day exploits, and hope a target plugs in. There are far easier ways to get access today, such as using Pegasus spyware to monitor high-value targets.
- Ordinary travelers using smart charging habits are more likely to encounter phishing scams than a juice jacking attack.
What is the TSA warning about juice jacking?
In June 2025, the TSA publicly warned about juice jacking, advising users to avoid plugging their phones into public USB ports, especially in airports.
Instead, the TSA recommends using a personal power bank or battery pack to avoid exposure to potentially compromised charging stations.
What is choicejacking?
Choicejacking is a newer variant of juice jacking that bypasses the protections in mobile operating systems requiring user permission for USB data transfers.
In 2025, researchers at Austria’s Graz University of Technology demonstrated how choicejacking works, where attackers manipulate a device’s interface to trick the phone into granting data transfers.
This “invisible keystroke” method essentially simulates the user pressing on the “Allow” or “Trust this device” button to approve unauthorized access. It represents an advanced evolution of the original juice jacking concept.
The researchers uncovered three clever ways malicious chargers can bypass your phone’s defenses:
The input special accessory technique (T1)
- This attack is Android-specific, exploiting implementation flaws in the Android Open Accessory Protocol (AOAP).
- If you connect your unlocked device to a malicious charger, you may be susceptible to this attack.
- Here’s how it works: The charger sends USB control requests to put the Android device into a special accessory mode and then registers as a HID (Human Interface Device).
- This allows the charger to autonomously complete all user consent prompts without your input.
- The attack takes 167 milliseconds on Galaxy A14, 133 milliseconds on Galaxy S20 FE, 267 milliseconds on Galaxy A33, and 300 milliseconds on Galaxy S23.
The input queue race condition technique (T2)
- In this attack, an unlocked device is first connected to a malicious charger.
- Next, the charger switches roles via USB Power Delivery. The Android device now acts as a USB host, while the charger becomes a USB HID (Human Interface Device).
- The charger then floods the Android phone with fake input commands.
- These fake inputs fill up the phone’s input event queue, which stores input events waiting to be processed.
- When the Android system displays a prompt asking you to allow data transfers, a subtle timing issue (race condition) lets the attacker’s inputs select “yes” before you can even see the prompt or respond.
- This method is Android-specific and happens so quickly (in milliseconds) that it is effectively undetectable to the user.
The Bluetooth HID spoofing technique (T3)
- In this attack, an unlocked device is first connected to a malicious charger.
- At a suitable moment, the charger performs a USB Power Delivery Data Role swap to switch roles. The mobile device now acts as a USB host, while the charger becomes a USB HID (Human Interface Device).
- Next, the charger navigates to the Bluetooth pairing screen to make the mobile device discoverable. Then it advertises itself as a trusted Bluetooth input device and initiates pairing.
- Through the USB input device, the charger accepts the pairing request.
- Next, the charger does another USB Power Delivery swap and becomes the USB host.
- As the USB host, the charger initiates a data connection. Through the Bluetooth input device, the charger silently confirms the data connection on the mobile device.
- The charger can now read, copy, or manipulate data without you being any the wiser. This technique works on both Android and iOS devices.
As can be seen, choice jacking is a huge risk if you use public charging stations. In 2025, both Apple and Google have made updates that now require biometric authentication or PIN entry (not just a simple “yes” tap) for USB data transfers. This update is for iOS 18.4 and Android 15.
That said, certain Samsung models running One UI 7 don’t require secure confirmation, leaving them vulnerable to choice jacking.
Your best bet? Avoid public charging stations altogether.
How to detect juice jacking
Detecting juice jacking can be difficult because compromise often happens silently. However, some signs may indicate an attack such as:
- Sudden crashes or lag in device performance
- Unfamiliar apps or screen activity during charging
- Unusually fast battery drains after charging
- Data usage spikes unrelated to normal activity
- Unexpected pop-ups or permission requests
You may be wondering, “If I experience any of the above, does that mean I’ve been juice jacked?”
Not necessarily; but it could be a possibility if you’ve recently used a public charging outlet.
So, what are your options if your device has been compromised? In such a case, a full factory reset is your best bet. It’s best, however, to avoid backing up any files or apps from an infected phone as you could re-introduce malware even after the reset.
And if you’re thinking that running a mobile antivirus should suffice, know that they have limited capability in detecting advanced rootkits or backdoors.
Ultimately, one decision (like plugging into a public outlet in a moment of desperation) can affect every file, document, or memory you care about.
So, think twice before plugging into an unknown outlet. After the reset, consider streamlining and securing your most sensitive files.
LastPass is an award-winning Secure Access provider that lets you store what truly matters (like private or sensitive images, passports, SSN cards, PINs, medical insurance info, and more) in a private vault protected with Zero Knowledge, military-grade encryption.
Whether you’re a personal or business user, you can get premium data protection today with a LastPass free trial (no credit card required).
How to protect against juice jacking
The best defense against juice jacking is to avoid using public USB charging stations. Other practical strategies include:
- Using a personal AC adapter or portable battery pack
- Using a “charge only” cable that blocks data connections to your device
- Keeping your mobile OS and security software up to date to benefit from the latest protections
- Declining data transfer requests on connected devices
- Carrying and using a USB data blocker (sometimes called a “USB condom”) that only allows power transfers and blocks data lines
- Using strong authentication methods like LastPass FIDO2 MFA to lock access to your most sensitive accounts
FAQs about juice jacking
Is it safe to plug your phone into an outlet at the airport?
Plugging a phone into an airport outlet – especially those sleek USB charging ports - isn't safe in 2025. Federal agencies, including the TSA, continue to warn that public USB ports pose a real risk.
This is because infected outlets can expose your device to malware or spyware.
Your best bet is to use a personal power bank or carry a charging brick that plugs directly into an AC wall outlet. AC power outlets deliver pure electrical current only - with no data lines, they’re immune to juice jacking.
Are hotel USB chargers safe?
USB ports built into hotel lamps and alarm clocks aren’t 100% safe. All it takes is a single tampered port to potentially put your device at risk for credential-stealing malware or data theft.
Are iPhones protected from juice jacking?
With iOS 26, Apple is making phones safer against juice jacking. When an iPhone is plugged into any USB-C accessory, the device now asks (through an inescapable permission prompt) if the accessory should access data or just charge.
Deny data access and charging proceeds as normal. If your phone screen is locked, data transfer is blocked by default. These built-in defenses are a strong protection against juice jacking.
Note, however, that if you allow data access to a malicious public charger, the protections are bypassed. So, vigilance still matters.
Do portable chargers prevent juice jacking?
A portable charger (also known as a power bank or portable battery) doesn’t transmit data, just electricity. Plugging a phone into a personal, standalone charger prevents juice jacking entirely, since there’s no data path open for attackers to exploit.
Can choicejacking happen on both Android and iPhone?
In 2025, security researchers are sounding the alarm about “choice jacking.” This attack can potentially bypass both iPhone and Android safety prompts under certain conditions. And while the attacks aren’t particularly practical for mass exploitation, the risks are real.
The bottom line: Even with iOS 26’s juice jacking defenses, attackers continue to find new ways to bypass protections. So, it’s best to avoid plugging into public ports for both iPhone and Android devices alike.
Sources:
https://www.cu.edu/security/stay-cybersecure-while-traveling-avoid-public-usb-charging-risks
https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/
https://tugraz.elsevierpure.com/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf
https://cacm.acm.org/news/juice-jacking/
Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
