Have you been told not to charge your phone at the airport? Many of us have, by major government agencies like the FBI, no less. The conversation is back in the news, confusingly, from a March post on the official TSA Facebook page. Like the FBI, the TSA is warning us to avoid both USB ports and wifi networks in public places, like airports—and it doesn't seem much has changed from their perspective in the four months since they posted.
The post itself, in my humble opinion, is bizarre. It reads less like a PSA from an official security agency, and more like a social media post typed up by a summer intern. The largest red flag for me is this sentence, which reads: “Hackers can install malware at USB ports (we've been told that's called “juice/port jacking”).” I would like to think an agency like the TSA wouldn't need to be told what a supposed security threat is called.
But ignoring the lack of authority in the style of the post, the warnings themselves are a bit odd. From where I'm sitting, there are few legitimate reasons to stir up panic over these two security issues. Let's look at each one individually:
Are public USB ports safe?
The worry here is that bad actors can infect these publicly accessible ports with malware, so when you plug in, the malware installs itself on your device. This is what's known as juice jacking or port jacking.
It's not that juice jacking seems impossible: Malware can be delivered in a number of ways. It's more the fact there has been no known case of this happening in the wild—save for an educational example at Defcon 2011. Could the FBI and TSA be aware of attacks that the public is not? Sure. But I'm not sure that airport USB ports are massive yet silent malware spreaders. That would require bad actors to buy plane tickets, enter the secure zone of each airport, and take the time to infect each port. Again, possible, but, in my view, unlikely. Why do that when it's much easier to trick users into installing malware from fraudulent websites?
Bad actors would also need to contend with USB cables that are charging only, with no support for data transfer. Maybe your cable allows for data transfer, but maybe someone else's doesn't. Even if yours does, many modern smartphones require you to grant permission to access the USB device before you can initiate a data transfer. Without that permission, the connection will only charge your device. While it is true that researchers have found ways around these defenses, there are too many variables out there for this to be an effective malware installation method, and if I were a hacker, I just wouldn't think the juice was worth the squeeze.
That being said, perhaps there are manipulated USB ports in airports, and cases of juice jacking the FBI and TSA are aware of, but aren't disclosing to the public. You have a couple of options if you have to charge in the airport safely.
The first is to use a USB “condom:” USB condoms essentially turn any cable into a charging-only cable, by blocking all data transfer capabilities. If you have a USB cable that would otherwise happily install malware on your device, a USB condom will block this activity, so you can charge safely and securely. But you don't need one of these devices to safely charge your devices at the airport: Just use the wall outlets. These pose no risk of juice jacking, since there are no data transfer capabilities here. Just plug your power adapter into the outlet as you normally would, and charge away with peace of mind.
            
                What do you think so far?
                
            
        
Is public wifi safe?
The second warning advises travelers to not use free public wifi, especially for online purchases or to enter sensitive information. This is good advice, for 2015. Back in the day, most websites were not encrypted, which meant your internet traffic was exposed to anyone who knew how to access it. It's one thing if you checked headlines on The New York Times, or watched a YouTube video: Hackers could see that traffic, but there wasn't much to do with that other than violate your privacy. But if you entered sensitive info on sites, like passwords, or accessed sites with private data, like your bank's website, then you have a security situation. That's why the (good) advice of old was to avoid using public wifi, especially for these types of activities.
Since 2018, however, the vast majority of websites you visit are encrypted. That means even if you use public wifi without encryption, the actual web traffic is protected. Hackers won't be able to see the information you enter on those sites, as long as it is indeed encrypted.
So, if you're using public wifi—especially public wifi without some type of password protection—just double-check the website itself is encrypted before logging in. You'll know that if the site uses HTTPS (as opposed to HTTP), or by the small “lock” icon in the address bar, depending on the browser.
Now, you'll still want to ensure the website you're visiting is not only encrypted, but legitimate. Phishing sites can use HTTPS too, so make sure you're actually visiting your bank's website before plugging in your information. That advice, of course, applies whether you're using public wifi or your home wifi, anyway. You can also protect your web browsing even more with a VPN, which reroutes your traffic to make it much more difficult to track you. You might be connecting through the Denver airport, but your traffic could look like it's coming from Japan, Panama, or Iceland.
 
					 
				 
					 
				 
					 
				 
					 
				 
					 
				 
										 
										 
										 
										 
										 
										 
										 
										