Despite TSA Warning, Airport Chargers Likely Aren’t Dangerous
Have you ever been told not to charge your phone at the airport ? Many of us have been told this , and by major government agencies like the FBI no less. The topic is back in the news, oddly enough, after a March post on the TSA’s official Facebook page . Like the FBI, the TSA warns us to avoid USB ports and Wi-Fi networks in public places like airports — and it seems little has changed in the four months since their position was posted.
The post itself is, in my humble opinion, odd. It reads less like a public service announcement from an official security agency and more like a social media post written by a summer intern. The biggest red flag for me is this sentence: “Hackers can install malware on USB ports (we’re told it’s called juice jacking/port jacking).” I’d like to think that an agency like the TSA doesn’t need to be told what the supposed security threat is called.
But aside from the incompetent style of the post, the warnings themselves are a bit odd. In my view, there’s little reason to panic about these two security issues. Let’s look at each one separately:
Are public USB ports safe?
The problem is that attackers can infect these public ports with malware, and when you connect to them, the malware will be installed on your device. This is called “juice jacking” or “port jacking.”
It’s not that juice jacking seems impossible: malware can be delivered in a variety of ways. Rather, it’s that there hasn’t been a single known case of it happening in real life , other than an educational example at Defcon 2011. Could the FBI and TSA know about attacks that the public doesn’t know about? Sure. But I’m not sure that airport USB ports are mass-produced, yet silent, distributors of malware. To do that, attackers would have to buy plane tickets, enter the secure area of each airport, and spend time infecting each port. Again, it’s possible, but unlikely in my opinion. Why do that when it’s much easier to trick users into installing malware from scam sites?
Attackers will also have to deal with USB cables that are designed for charging only, but do not support data transfer. Perhaps your cable allows data transfer, but someone else’s does not. Even if your cable does, many modern smartphones require permission to access the USB device before you can start transferring data. Without this permission, the connection will only charge your device. While researchers have found ways to bypass these protections , there are too many variables for this to be an effective method of installing malware, and if I were a hacker, I simply wouldn’t think it’s worth the effort.
However, there may be counterfeit USB ports at airports, and the FBI and TSA are aware of juice jacking incidents but do not disclose them to the public. If you need to safely charge your phone at the airport, you have a few options.
The first option is to use a USB “condom.” USB condoms essentially turn any cable into a charging-only cable, blocking all data transfer capabilities. If you have a USB cable that would otherwise easily install malware on your device, a USB condom will block that activity, allowing you to charge your devices safely and securely. But you don’t need any of these devices to charge your devices safely at the airport: just use wall outlets. They don’t pose a risk of juice jacking, since they don’t support data transfer. Just plug the power adapter into the outlet as normal and charge your device with peace of mind.
Is public Wi-Fi safe?
The second warning advises travelers not to use free public Wi-Fi, especially for online shopping or entering sensitive information. This is good advice for 2015. In the past, most websites weren’t encrypted, meaning your internet traffic was available to anyone who knew how to access it. It’s one thing if you’re checking headlines in The New York Times or watching YouTube videos: hackers can see that traffic, but it doesn’t really matter other than your privacy is compromised. But if you’re entering sensitive information like passwords on websites or accessing sites with personal data, like your bank’s, you’re in danger. That’s why the (good) old advice was to avoid using public Wi-Fi, especially for these types of activities.
However, as of 2018, the vast majority of websites you visit are encrypted. This means that even if you’re using public Wi-Fi without encryption, the actual web traffic is protected. Hackers won’t be able to see the information you enter on these sites if it’s actually encrypted.
So, if you’re using public Wi-Fi (especially public Wi-Fi without any password protection), just double-check that the website itself is encrypted before you sign in. You’ll know if the site uses HTTPS (rather than HTTP) or if there’s a little “lock” icon in the address bar, depending on your browser.
Now, you still need to make sure that the site you’re visiting is not only encrypted, but also legitimate. Phishing sites can also use HTTPS , so make sure you’re actually visiting your bank’s site before entering your details. This advice, of course, applies whether you’re using public or home Wi-Fi. You can also further protect your web browsing with a VPN , which reroutes your traffic, making it much harder to track. You may be connecting through Denver Airport, but your traffic could appear to be coming from Japan, Panama, or Iceland.