As evidenced by the frenzy of activity surrounding the documents leaked by ex-National Security Agency (NSA) contractor Edward Snowden, corporations and individuals around the globe are concerned with surveillance activity and are taking steps to secure data against secret monitoring. The continual advancement of surveillance technology to garner or steal information is a serious concern for corporations. Mobile devices, ubiquitous among today’s workforce, represent one of the biggest vulnerabilities for security breaches, whether they are company issued or personal devices used by employees for work.
As such, “juice jacking” — the theft of data from a mobile device via public charging stations — is becoming a serious corporate security risk. Specifically, juice jacking happens when a mobile device (i.e. smart phone or tablet) is plugged into a charging station via USB — it does not occur via laptops or devices plugged into wall sockets. Any employee with a smart phone or tablet that is connected to a corporate network can open up exposure simply by plugging his or her dying device into the USB charging kiosk at an airport, business center or conference. These charging stations can be hijacked by hackers and configured to read and copy data from the device and also upload malware to facilitate later exploitation, all without the user’s knowledge that anything is amiss. And hackers are becoming increasingly aggressive and sophisticated — they no longer focus on simply disabling devices, but are trying to get into the data within and see what can be done with it.
Business travelers are at a heightened risk. They are often key employees, traveling internationally — sleep deprived, weary, and often without a power cord. Losses can include personal data as well as sensitive business information. Corporate legal and security professionals need to understand these liabilities and begin to tackle the most effective ways to respond and prevent data theft. Below are the most effective practices to begin implementing to stay ahead of this issue and lay the foundation for solid mobile security within a large organization.
Develop awareness: Spend time working with IT and security to understand exactly what happens when a smart device is connected to external sources. As an example, even car chargers can be a potential threat. The iPhone will ask if a new power source can be trusted, but once the user approves a source, it will forever be considered safe by the device. Further, ensure that employees understand the public vulnerabilities to company data and require them to be extremely cautious about and generally avoid using public charging stations.
Mobile device management: Consider software packages that can be implemented on company devices to build security protocols to shield against external attacks and block unauthorized access. This type of device management provides assurance that no holes are open for someone to come in and steal corporate information, while still allowing corporate IT to have access into the device. Additionally, there are accessories that allow connection only to the elements of a charging station that provide the power, further safeguarding against juice jacking. These products include The USB Condom and a ‘dumb’ charging cable from PortaPow.
Understand international factors: The risks increase abroad, as many governments employ hackers to pull data off of devices for purposes of corporate espionage and surveillance. Business travelers are prime targets for both independent and state-sponsored hackers.
Cover the basics: Ensure employees keep up-to-date with software updates from device manufacturers. These companies are continually identifying holes in software security and provide regular updates in an effort to stay ahead of threats. Employees must be responsible for keeping their devices current, otherwise they may be putting the entire organization at risk. Further, urge basic good habits among employees so they remember to bring their own chargers/hardware and back up batteries, especially when traveling abroad.
BYOD factors: It is more difficult to regulate software updates and general security on personal devices employees use for work than company issued devices. A general best practice for companies allowing “bring your own device” environments is to create thorough, legally sound policies around the use of personal devices. Security concerns, including juice jacking, should also be addressed in BYOD policies and reviewed at length anytime an employee introduces a new personal device into the company network.
Fortunately, juice jacking hasn’t been the source of any headline-grabbing cases to date. The trend toward BYOD has increased overall mobile device management and security awareness among corporate IT and legal departments, helping to stay ahead of potential mobile data breaches. That being said, juice jacking is a reality, and corporations must remain vigilant and continue upholding and enforcing best practices to avoid opening back doors that allow hackers in to use or steal company data.