Travellers are advised to avoid using public USB power charging stations in airports, hotels, and other locations because they may contain dangerous malware, the Los Angeles District Attorney said in a security alert published last week.
USB connections were designed to work as both data and power transfer mediums, with no strict barrier between the two. As smartphones became more popular in the past decade, security researchers figured out they could abuse USB connections that a user might think was only transferring electrical power to hide and deliver secret data payloads.
This type of attack received its own name, as "juice jacking."
Across the years, several proofs-of-concept were created. The most notorious is Mactans, presented at the Black Hat 2013 security conference, which was a malicious USB wall charger that could deploy malware on iOS devices.
Three years later, in 2016, security researcher Samy Kamkar took the concept further with KeySweeper, a stealthy Arduino-based device, camouflaged as a functioning USB wall charger that wirelessly and passively sniffs, decrypts, logs, and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
Following Kamkar's release of KeySweeper, the FBI sent out a nation-wide alert at the time, warning organizations against the use of USB chargers and asking companies to review if they had any such devices in use.
Also, in 2016, another team of researchers developed another proof-of-concept malicious USB wall charger. This one could record and mirror the screen of a device that was plugged in for a charge. The technique become known as "video jacking."
Taking all these into account, LA officials recommend that travelers:
But there are also other countermeasures that users can deploy. One of them is that device owners can buy USB "no-data transfer" cables, where the USB pins responsible for the data transfer channel have been removed, leaving only the power transfer circuit in place. Such cables can be found on Amazon and other online stores.
There are also so-called "USB condoms" that act as an intermediary between an untrusted USB charger and a user's device.
Two such devices are SyncStop (formerly known as USB Condom) and Juice-Jack Defender. Many others also exist, and at one point, even Kaspersky researchers tried to build one -- called Pure.Charger -- but their Kickstarter fundraiser failed to raise the needed funds.
Details from zdnet.com