News →

Troll Watch: 'Juice Jacking'

NPR's Don Gonyea talks with Luke Sisak, a cybercrimes prosecutor, about a new form of data theft called "juice jacking."

Copyright 2019 NPR. To see more, visit https://www.npr.org.

Transcript:

DON GONYEA, HOST:

The holiday season comes with lots of airport travel and lots of time waiting at airports. So, naturally, worn-out travelers look for distractions while they wait out that massive layover. You might want to plug in your favorite show on the iPad. But, unfortunately, the battery's dead, and you need to charge. If you're lucky, there are some USB ports around. But hold on, you might not be as lucky as you think. Some hackers could be using those free public USB ports to steal your data in a process experts are calling juice jacking. Perfect topic for our recurring Troll Watch segment.

(SOUNDBITE OF MUSIC)

GONYEA: Joining us now to talk about this trend is Luke Sisak. He's a deputy district attorney for Los Angeles County and a cybercrimes prosecutor. Luke, thanks for joining us.

LUKE SISAK: Thanks for having me, Don.

GONYEA: What exactly is juice jacking? How does it work?

SISAK: Juice jacking is a way for a criminal to get your personal information out of your phone through your power port. It can work a variety of different ways. But the end result is that by plugging into a USB socket somewhere, a criminal has either downloaded your information or actually uploaded malware into your phone that will then send it to him or her wherever they are. And it isn't always the same way. But it's the same result, which is they have your information, and you've been compromised.

GONYEA: So give us some examples of how they might actually get access to the information on my phone or my iPad or whatever. I'm sitting there, and there's the USB port just asking me to use it.

SISAK: Well, the simplest way to think about it is when you plug your, let's say, iPhone into your computer, you'll get the little warning or little question box. It says, do you want to trust this computer? And if you press yes, you can see your photos and other things on your computer screen that are actually on your phone. They can build in a version of that that allows them to do the same thing.

They don't really care about the photos. What they want are credit card numbers that are saved, Apple Pay accounts, even things like your address or your Social Security number. If they've been entered into a webpage or some other app, they potentially have the chance to get those.

GONYEA: Is it that the actual USB port has been compromised in some way? Or is it a question of them, say, plugging in a handy USB cable there that you just think is there for you to use?

SISAK: No, it's not the cable. It's the port itself. And, really, what it is is what's behind the port. For all intents and purposes, it's a little computer. It's got a little data socket - a USB socket. And it's got software installed in it, and there's a variety of ways to install that software, a variety of things it can do to your phone.

GONYEA: Is there a visual thing we should notice as we look at a port to see if it has, perhaps, been compromised? Or should we just stay away from them, completely?

SISAK: It's like anything else. The less reputable it looks, that's usually a good sign that it's a problem. What we tell everybody, though, is that, again, it's not common. But because it is possible, if you can avoid using just a USB socket for power and find an actual wall outlet, you're far better off.

GONYEA: So the wall outlet is OK, probably OK.

SISAK: So the wall outlet is going to be OK for sure because the wall outlet only transmits power.

GONYEA: Do airports regularly check these ports to see if they've been compromised?

SISAK: I don't know. And, obviously, within airports, each airport is different. But I don't know that airport staff would necessarily even know what to look for. And the toughest part about this issue is that people don't know they've been victimized. So it's part of the reason why it's hard for us to catch scammers or hackers in the act. And it's part of the reason why it's hard for airports or anywhere else to know because no one's complaining. Oh, a guy out there just took my purse. That's easy. But people may be in Omaha, Neb., or Alaska or wherever by the time they realize they got their information taken. And they'll have no idea where it happened.

GONYEA: So let's close by having you offer just your quick advice to people.

SISAK: What I do is I bring a wall charger with me. That covers you most of the time. In the event that there is no wall charger, I usually - especially when I travel - will have a battery pack with me. That way, I know where the power's coming from. I know what I'm plugged into. But the biggest thing is to just be aware of what you're plugging into and that there is a potential risk there. And, especially, if your phone or tablet says do you want to trust this computer, the answer's pretty much always no unless you're at your home.

GONYEA: I will never look at a USB port the same way again.

SISAK: And that's really the only point because it is not the most common thing. But it's just, like, well, you know, just so you know that it's out there. And just be aware.

GONYEA: That was Luke Sisak, deputy DA for LA County and a cybercrimes prosecutor. Luke, thanks much.

SISAK: Thanks, Don. Happy Thanksgiving. Transcript provided by NPR, Copyright NPR.