We’ve reported on robust, zero-click malware like Pegasus and Reign that state actors and criminal syndicates can use to transform your smartphone into a 24/7 surveillance device. These infiltrations don’t require you to make a single click or take any action, but lower-tech threats to privacy are proliferating from users’ interactions with mundane sources as well.
The FBI is now warning Americans to avoid using free charging stations in airports, hotels, and shopping centers. The Bureau reports that bad actors can use charging stations to infiltrate devices, installing malware or monitoring software to remotely steal your data.
By connecting your devices to a public charging station, a user could be vulnerable to “juice jacking,” malware that hijacks your charging cable during a charge. With malware and other cybersecurity threats installed onto a charging station, you could import them directly into your phone without ever knowing.
Smartphones and devices with the latest security updates might be fine, but hackers can continually modify their malware programs to evade detection. Juice jacking is just one way that hackers can hit your devices. A device’s defenses against these vulnerabilities are only as good as their most recent software update, so a phone that hasn’t been updated in weeks or months is especially open to attack.
While low-level malware attacks pose a significant risk to cybersecurity, they could be overtaken by far more powerful zero-click attacks that require no action on the victim’s part. The vector of these attacks can be global.
NSO Group’s Pegasus and QuaDream’s Reign are zero-click attacks that overcome the need to trick a user into taking an action. Pegasus can infiltrate a smartphone, reading text messages, tracking calls, collecting passwords, tracking location, accessing the device's microphone and camera, and harvesting information from apps. This technology is frightening because Pegasus or Reign can be installed remotely on smartphones even with the most up-to-date security software, all without the user ever touching their devices.
If bad actors using malware to infiltrate public charging stations to infect older device models is the Covid of malware, then a fully commercialized Pegasus or Reign would be more like the Black Plague. While Americans on travel can prevent attacks by bringing their own battery charger, nothing at present could prevent the epidemic if zero-click attacks proliferate in the wild.
Tech companies are in a continuous arms race with hackers and malware developers. The best thing you can do now is to regularly update your software and avoid public charging stations as if they were dirty bathrooms.