Juice Jacking
A cyberattack using public USB charging ports to transfer malware to, or steal data from, devices while they charge.
Also known as: USB charging attack, public charger attack, USB data attack
Last reviewed: 1 June 2026
Juice jacking exploits the fact that USB cables carry both power and data. A tampered public charging station — in airports, hotels, shopping centres, or on public transport — can be modified to interact with devices plugged into it. When a user connects a phone or tablet expecting only power, the compromised port can install malware, silently extract files, or harvest contacts and credentials.
Attacks come in two forms: passive data exfiltration (copying files without the user noticing) and active malware injection (installing spyware, ransomware, or stalkerware). Some attacks involve 'BadUSB' firmware attacks that make a USB device impersonate a keyboard to run commands.
Defence is straightforward: use your own charger and wall socket, carry a portable power bank, or use a 'USB data blocker' (charge-only adapter) that physically breaks the data pins. Many modern smartphones now display a 'Trust this computer?' prompt when connected to unknown USB sources, but users often accept without thinking.
Examples
- A traveller plugs their phone into an airport fast-charge kiosk; unknown to them, the kiosk installs spyware that logs banking credentials.
- A conference charging station is compromised to silently copy contacts and emails from connected devices.