Fact Check: Can rogue chargers be used to hack your phone? Unlikely, but not impossible

No such incident has taken place in Hyderabad. However, the possibility of such attack called ‘Juice Jacking’ cannot be completely ruled out.

By Fact Check Bureau: One of the most stressful moments in our lives are the times when the battery of our phone is about to die and the charger is not handy. How desperate we become to plug in to any charging point that we can find. But that may not be the best thing to do.

A cautionary tale that's been regurgitated by several people on social media recounts how a Hyderabad CEO was robbed of Rs. 16 lakh using a never-before-seen technique — through bugged charging cables. Allegedly, cops were baffled by how anyone could have robbed money from his bank account without triggering OTPs or phishing. They also found no signs of tampering on his phone.

According to the sensational story being shared on social media, law enforcement authorities eventually discovered that someone had replaced his phone's charger and that the new charger hid inside it a microchip that was used to hack into his phone. This was how the perpetrators took control of his phone and transferred money from his account, the post claims.

Posts like these have been archived here, here, and here.

AFWA found that no such incident has been reported in Hyderabad. However, the possibility of such a crime, worryingly enough, cannot entirely be ruled out.

We looked for news reports about such an incident in Hyderabad and found nothing. AFWA then contacted KVM Prasad, the Assistant Commissioner of Police for Hyderabad Cyber Crimes.

He said that such a crime had not been reported in the city, even in the past. He added, "This hoax appears to be written with the intention of causing panic." The ACPs of both Cyberabad and Rachakonda also said the same thing.

The answer is yes - this is technically possible according to the experts, and is called as a "Juice-jacking" attack. Per a 2019 Tech Crunch report criminals can load malware on charging stations or cables plugged in at the stations. This can infect the connected device of unsuspecting users. The malware may lock the device or export data and passwords directly to the scammer.

Also in 2019, cases of juice jacking were reported in Delhi-NCR and the State Bank of India also cautioned people against this menace. Most recently, in September, the Odisha Police warned people on Twitter against charging phones at public places like USB power stations, etc., because of the possibility of malware being put into the devices.

Don't charge your mobiles at public places like mobile charging station, USB power station etc. Cyber fraudsters are trying to steal your personal information from mobile and installing the malware inside your phone. #StayCyberSafe pic.twitter.com/CubCnYlJn7— Odisha Police (@odisha_police) September 15, 2022

Satyajit Sinha, a Principal Analyst at IoT Analytics, told AFWA, "Once introduced, the malware remains in the device unless detected and removed by users. Whatever the phone owner does on the screen, a hacker can even see it live on another device using malicious software."

He added, "In this case, if you access your bank account or make a purchase, a hacker can see the details you enter and siphon off your money."

Karan Saini, a network and application security researcher based in Bengaluru, corroborated what Sinha said. He, however, remained sceptical of the feasibility of these methods. He said, "There are a few manufacturers that sell cables like the ones produced by O.MG., that are typically used only for research. But, they can also be used by a criminal to infect a user's device. However, buying these cables is not necessarily cheap, and therefore, a run-of-the-mill cybercriminal would most likely not use one. A regular USB cable, on the other hand, can also be modified to perform the same functions as the O.MG cable, but this requires much more effort and skills, again making it unlikely for cybercriminals to indulge in it. Thus, the way the story describes the fraud would be very hard to do."

Another cybersecurity expert, Sunny Nehra, seconded that hacking into phones using regular USB charging cables can get very expensive, aside from being a complicated process whose results may vary from device to device. This offers a lower success rate, he said. Nehra added, "On top of the expense, an infected USB will still not work unless the connected device has been rooted before, or has enabled debugging."

O.MG cables look like regular charging cables and already have implants with more computational power, making them the ideal candidate for such attacks. However, they also have their limitations, explained Nehra.

"By default, the data transfer mode is disabled in smartphones protecting them from such attacks automatically. Even if enabled, it gives the hacker a maximum of ten minutes to get the passwords. This is made more difficult by the fact that only a limited number of attempts are allowed and brute-forcing passwords can lock the phone," he added.

People should avoid using public charging stations. However, if you are forced to use one, it is advisable to switch off your phone or use a data blocker while doing so. A data blocker is a device that plugs into the charging port on your phone, acting as a shield between the public charging station's cord and your phone.

You should also keep an eye out for suspicious intrusion through built-in measures (like popups seeking permission for data transfer while using a public cord) and install anti-malware software.

(Written by: Sanjana Saxena)

Edit: The story erroneously mentioned earlier that "Not all phones support O.MG cables." This has since been removed.