Star Micronics

'Juice Jacking': What phone-charging kiosk deployers need to know

by Suzanne Cluckey

Contributing Writer

The automated charging machine has been a boon to kiosk manufacturers and deployers, offering revenue streams that were unimaginable in the days before the mobile device became an essential travel tool and time filler during airport layovers.

But a possible threat to that business recently came to light at the 2011 computer hackers conference DefCon 19 held earlier this month in Las Vegas. Security risk assessment firm Aries Security installed a phone-charging kiosk at the conference hotel that warned users that it was capable of downloading data from — or uploading malware to — the individual's mobile device, a practice known by the sinister-yet-catchy descriptor, "juice jacking."

According to Aries, the increasing prevalence of smartphones, which use the same port to charge the phone and sync data, means that enterprising criminals could install systems on charging kiosks that would suck down data. This information could then be exploited for any number of uses, just like any other hacked computer files.

While Aries did not reveal — for obvious reasons — the methods used to alter a kiosk to enable juice jacking, conference-goers got the idea and started chattering about it. The story has now made its way from independent blogs to PC World, MSNBC.com's Technolog and business and financial news aggregator The Street.

At this point, word about the DefCon demo is still limited to the Web. But as most scary news items do, this one will surely make the jump eventually to mainstream media, where, as most scary news items do, it will surely become a big deal.

Not everyone is convinced that juice jacking constitutes a real and present danger, though.

David Drain, executive director of the Digital Screenmedia Association, which represents the interests of the interactive kiosk industry, says that kiosk deployers themselves would have nothing to gain by accessing their customers' data.

"I'm not saying it couldn't happen," Drain said. "I'm just saying that either [kiosk operators] are charging a fee to charge your phone or they are displaying advertising and letting you charge your phone for free because you're sitting there while your phone is getting charged, watching. So it's not in the interests of any of these companies that make the kiosks to do anything like what they're suggesting."

In some instances, kiosks are actually incapable of data download. The KEO charging kiosk designed by Frank Mayer & Associates and deployed by KEOConnect at airport-based Hudson News shops is one example.

"We made sure that in our design, there were no data lines in the cables that are connected from our system to the handset," said Ron Bowers, senior vice president of business development for Frank Mayer & Associates. "There are no data paths between the handset and the host computer, so it would be impossible to download data."

In such a case, said Bowers, data hackers would have to gain access to the interior of the kiosk and install their own skimming system. To retrieve data, thieves would either have to break into the kiosk again or link it to the kiosk's network, which they would then have to hack into. All of which Bowers says would be virtually impossible.

"The network is completely secure," he said. "The typical network security steps have been taken, but also making sure [network security] was one step above what was typically required or certified.

"The physical security of the kiosk design prevents hackers from accessing the unit itself. The doors, the media player do not have any accessibility or the ability for anybody to put a skim unit on it."

Neither all kiosks nor all kiosk locations are created equal, however. Theoretically it would be possible for criminals to gain physical access to an improperly secured unit in a low-traffic location. But this raises the question whether the level of usage in such a location would make the risk worth the gain for thieves.

Also theoretically, a kiosk that used standard charging cables could be susceptible to a classic computer hack, assuming that those data lines were connected in some way to the kiosk network. But there, the question is what possible reason the kiosk designer could have to design such a connection into the machine except to steal data.

And that brings up what represents probably the greatest (but still dubious) likelihood for a juice-jacking scheme: charging kiosks that are designed and deployed by criminals with the express purpose of stealing data.

This is where the DefCon can actually show the industry the way to building greater security and trust with consumers, Drain said:

"No one's saying that [juice jacking] has happened. They're saying that this theoretically could happen. So we just have to educate people, and certainly that does place some onus on some of these cell phone-charging kiosk manufacturers to assure the public that their devices are safe and the consumer's data will be safe."

Providers of cell phone charging services also need to educate customers about choosing and using charging kiosks, Drain said. This would include avoiding a kiosk that looked in any way suspicious or that was placed in a suspicious location.

Bowers mentioned additional common-sense measures the industry could educate consumers about.

"It's really very simple things," Bowers said. "There is a switch on your phone that you can turn off so that you cannot download information unless a password is put in. And the other thing ... when I use a charging system, I turn my phone off completely. It is a very easy way to protect against anything like this happening."

Ultimately, it will be up to cell phone-charging kiosk designers and deployers to stay ahead of the hackers. Said Bowers, "It's kind of our responsibility when we create a kiosk to be an advocate for the consumer that's going to use it and come up with a solution that will protect them."

For more information on kiosk systems, visit our Hardware and Software research centers.

Related Content

User Comments – Give us your opinion!
  • ADAM GEMAL
    83499948
    We have been doing so well with our Cell Phone Locker Charging stations-

    First one to keep your Phone safe- CHECK US OUT

    USASuperCharger.com

    THANKS,
  • isaac brody
    81077041
    Juice Jacking is a RUMOR --> our cell phone charging kiosks www.gochargenow.com do NOT jack juice!
  • Jeffery mills
    75362839
    CHARGE N GO NETWORKS CELL PHONE CHARGING STATIONS KIOSK are certified safe. ONE WAY CHARGING ONLY. We are listed with and has received a high ranking with The Dun & Bradstreet Credibility Corp.
    info@cellpower.us www.cellpower.us 404-936-8119
  • Jeffery mills
    75080281
    Charge N Go Networks is a company that operates and distributes stand-alone cell phone charging Station.that are certified safe. ONE WAY CHARGING ONLY. We are listed with The Dun & Bradstreet Credibility Corp. It is are goal here at Charge N Go Networks to put the security and privacy of our user as top priority.We are going to go a step further and post signs on all of our ACMs advising the customer to turn their phone off while charging. www.cellpower.us info@cellpower.us
Products & Services

Olea Retail Kiosks

http://global.networldalliance.com/new/images/products/5481.png

5481/Olea-Retail-Kiosks

KioWare® Lite for Android™ – Kiosk Mode Software

http://global.networldalliance.com/new/images/products/4947.png

4947/KioWare-Lite-for-Android-Kiosk-Mode-Software

Modular Thermal Printer - TELPAR MTP 600 Series

http://global.networldalliance.com/new/images/products/Telpar_MTP600.jpg

2404/Modular-Thermal-Printer-TELPAR-MTP-600-Series

Custom's MICROPLAYER

http://global.networldalliance.com/new/images/products/4451.png

4451/Custom-s-MICROPLAYER

STEGO CS/CSF 060 Kiosk Heaters

http://global.networldalliance.com/new/images/products/6571.png

6571/STEGO-CS-CSF-060-Kiosk-Heaters

Cell Phone/Mobile Charging Station

http://global.networldalliance.com/new/images/products/6655.png

6655/Cell-Phone-Mobile-Charging-Station

Olea Metro 22 Kiosk

http://global.networldalliance.com/new/images/products/4325.png

4325/Olea-Metro-22-Kiosk

Touch Screen Directory Kiosk

http://global.networldalliance.com/new/images/products/6979.png

6979/Touch-Screen-Directory-Kiosk

CUSTOM's TG2480 - Compact kiosk printer

http://global.networldalliance.com/new/images/products/TG2480_100px.jpg

2196/CUSTOM-s-TG2480-Compact-kiosk-printer

Automated Retail - The Valet

http://global.networldalliance.com/new/images/products/6639.png

6639/Automated-Retail-The-Valet

Telpar
CONNECT 2014 Mobile Innovation Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.
Ventus