Airline travel is already fraught enough — canceled flights, passengers trapped in their seats for hours, weather delays, turbulence, and, frighteningly, deadly accidents — without travelers having to worry about hackers nicking their data at the airport via “juice-jacking.” 

Yet, the Transportation Security Administration warned over the weekend that the danger begins long before flyers board the planes. Noting that “in this technology age, cybersecurity has never been more important,” the TSA told travelers to avoid using public USB ports at airports to charge their phones.  

“Hackers can install malware at USB ports,” the TSA posted on Facebook. “So, when you’re at an airport, do not plug your phone directly into a USB port.” 

Instead, travelers should bring their own charging bricks or battery packs — or plug their chargers directly into electrical outlets. 

Juice-jacking is a threat befitting an increasingly mobile society. After all, says Black Duck Senior Staff Consultant Nivedita Murthy, as reliant as we are on our mobile devices, they will inevitably run out of juice, particularly as we travel. “The natural instinct is to charge your phone at the nearest USB port or charger outlet that’s available,” she says. 

Indeed, “cybercriminals are capitalizing on a mobile-first attack strategy, exploiting every opportunity to compromise devices — including something as routine as charging a phone at the airport,” says Kern Smith, vice president of global solutions at Zimperium. The seemingly harmless act of “plugging into a public USB port or connecting to free Wi-Fi, can open the door to malware and data theft.”  

USB cables are particularly vulnerable to abuse by bad actors. Particularly modern USB-C cables, notes Murthy, are “designed for two-way data transfer,” and airports may “have hundreds of USB ports set up for traveler convenience.” No one regularly monitors those ports, though, she explains, and they “can be misconfigured by malicious users to target unsuspecting travelers.”  

But Bugcrowd Founder Casey Ellis says the TSA warning “to simply avoid these things because of common attacks feels a lot like security theater.” He says that because in reality modern operating systems “have largely mitigated the risk of juice-jacking, and the age of HTTPS everywhere and HSTS means that the ability to MITM sensitive information is largely a thing of the past,” though there will always be “exceptions to this for those with a heightened threat model or who ran strange or dated configurations on their gear.” 

A better approach, he says, is to take a more holistic approach to mobile security. “Make sure that you’re applying patches when they become available, ensure that MFA is enabled on important accounts, and think twice before installing software (the kind that could downgrade HTTPS, use an insecure browser, or provide a connection point for malicious USB connections) on to your devices,” he says.  

As mobile threats grow more sophisticated, Kern says, “it’s critical for both individuals and organizations to put stronger mobile security precautions in place.” In addition to MFA, which includes measures like VPNs. 

And Aditi Gupta, senior manager, professional services consulting, at Black Duck, encouraged travelers to add to their overall cybersecurity hygiene in public spaces. “One important tip is to turn off your AirDrop feature on iPhones,” she advises. “This helps prevent unauthorized access and potential security risks.” 

That’s a risk I was reminded of recently as I boarded a flight. While my security wasn’t breached and I managed to keep a poker face, someone started sending me explicit and weirdly, politically charged, pics via AirDrop. In the months since, I’ve not forgotten to turn off AirDrop in public.