Is juice jacking actually a real threat in 2026, or is it a story the FBI keeps repeating?

It is a real capability and a rare-but-documented threat. The FBI's Denver office did publish the 'avoid public USB ports' warning in 2023 that recirculated through the press, and the underlying technique - a modified USB port or cable that initiates a data connection in addition to charging - has been demonstrated in conference talks since Brian Krebs reported on the original 'juice jacking' DEF CON demo in 2011. Documented mass-victim cases in the wild remain unusual; what has changed is that the tools have gotten dramatically better and cheaper. The O.MG cable is the headline example - a cable that looks identical to a normal Lightning or USB-C cable, contains a microcontroller and a Wi-Fi access point, and lets an attacker within a few hundred feet inject keystrokes and exfiltrate data. It is sold openly to penetration testers for around $180. The realistic risk for a normal traveler at a normal airport remains low; the realistic risk for a journalist, executive, or activist with a known schedule is high enough to take seriously.

What is the actual difference between a 'charging only' cable and a normal data cable?

Two of the wires. A standard USB-C cable has four pairs of conductors: VBUS (power), GND (ground), CC (configuration channel for power negotiation), and the high-speed data pairs (D+/D-/SBU/TX-RX depending on the spec). A power-only cable physically omits the data pairs - they are not connected at the plug, so even if both ends are plugged into devices that want to talk to each other, there is no electrical path for data. The CC line is still there because USB-C uses it to negotiate voltage and current, but CC alone cannot move file data, mount the phone as a drive, or inject keystrokes. The catch is that 'charging only' cables look identical to data cables from the outside - the only reliable way to know what you have is to buy from a labeled, reputable source or to test it (a USB data tester like the ChargerLAB Power-Z will report which pins are live).

How does the O.MG cable actually work? I keep seeing it mentioned and it sounds like magic.

It is not magic; it is just very small electronics in a place you do not expect them. The cable has a tiny ARM microcontroller hidden inside the USB-A or USB-C connector at one end, along with a Wi-Fi chip and a small antenna built into the plastic of the plug. When you plug the cable into a host computer, the microcontroller can present itself as a USB HID device (a keyboard or mouse) - which is the same way a Yubikey or any plug-and-play peripheral identifies itself. As a 'keyboard' it can type at hundreds of words per minute, run a PowerShell or Terminal command, download a payload, or exfiltrate small amounts of data over the same Wi-Fi connection the cable itself broadcasts. The attacker is sitting nearby with a phone or laptop on the cable's Wi-Fi network and is sending commands in real time. There are now O.MG variants for Lightning, USB-C, and the USB-C to Lightning cable Apple sold with iPhones up to the 14. They are visually indistinguishable from genuine cables, including the molding, the LED behavior, and the weight.

What does USB Restricted Mode on iPhone actually do?

It locks the Lightning or USB-C port to power-only after the phone has been locked for an hour. Apple introduced it in iOS 11.4.1 in 2018, originally as a countermeasure to law-enforcement device-unlocking boxes like the GrayKey, and it has been on by default ever since. Practically: if your phone has been locked for more than 60 minutes (or for any amount of time, if you set the more aggressive 'always require unlock' configuration), plugging in a USB cable will charge the device but will not establish a data connection - the phone will not be visible to a computer, the cable cannot register as a USB HID device, and a forensic box cannot probe it. You can verify it is on in Settings, Face ID and Passcode, scroll down to 'Accessories' (or 'USB Accessories' on older iOS), and check that the toggle is OFF. Confusingly, OFF means 'restricted' - the toggle is labeled 'Allow accessories when locked', so disabling it is what enables Restricted Mode. iOS 17 added Lockdown Mode which extends this protection further; iOS 18 added the ability to require unlock for any USB accessory connection on the USB-C iPhones.

Is there an equivalent of USB Restricted Mode on Android?

Yes, and it is somewhat better. Android has defaulted to 'charging only' as the initial USB mode since Android 6, which means a freshly-plugged cable cannot transfer data until the user unlocks the phone and explicitly switches USB mode to 'File Transfer' or 'MTP'. Some manufacturers (Samsung, Pixel) add an additional confirmation prompt. GrapheneOS, the security-focused Android distribution, goes furthest with a 'USB-C port' setting that lets you completely disable the data lines when the device is locked, when the screen is off, or always - the closest equivalent to a physical hardware switch in software. The thing to verify on your own phone is that 'USB tethering' and 'File transfer' are off as the default mode when the phone connects to an unknown port - on most modern Android builds they already are.

How do I tell if a cable in my bag is sketchy?

Mostly: you cannot, from looking at it. The whole point of the O.MG cable design is that it is visually indistinguishable from a genuine cable. The practical defenses are the upstream ones. Only use cables you bought yourself from a known source - Apple Store, Anker, Belkin, the manufacturer's site - and label them so you can tell yours apart from one a colleague borrowed. Do not pick up a cable in a hotel room, on a plane seat, or at a conference and plug it into your laptop; treat unknown cables the way you would treat unknown USB sticks. If you genuinely need to inspect a cable, a USB power-and-data meter (the ChargerLAB Power-Z KM003C, the FNIRSI FNB58, the Plugable USBC-TKEY) will show which pins are conducting and what device descriptors the cable presents - a normal cable shows none, a malicious one shows a HID device. The cheapest practical defense is to carry a USB data blocker (a small dongle, often called a 'USB condom') for any unknown port; it physically blocks the data pins and only passes power.

Are public USB charging ports - in airports, on planes, in cafes - actually dangerous?

Less than the FBI tweet implied, more than the 'it was always overblown' counter-takes suggest. The realistic threat is not that every airport USB port is compromised - the logistics of physically modifying enough ports to make this a mass attack do not work. The realistic threat is targeted: a single modified port at a known location frequented by a known target, or a chain of compromised cables left in business-lounge chargers. The practical answer is the same as for cables: use your own charger plugged into a wall socket, or use a USB data blocker between your phone and the port, or use a power-only cable that physically cannot carry data. None of those are expensive or inconvenient, and they remove the question entirely. Wall sockets are not part of the threat model - they deliver power on a completely different physical interface than USB data.

USB-C cables are computers: what a charging cable can actually do

The cable in your bag is not a wire. It used to be - a USB 2.0 Micro-B cable from the era of the original Kindle was effectively four bits of metal with plastic on the ends, the kind of thing you could buy in a hardware store. A USB-C cable in 2026 is a small computer. It contains a chip that negotiates voltage and current with both ends, advertises which features it supports, identifies itself with a manufacturer ID, and on the higher-end versions contains additional logic for video tunnelling, Thunderbolt signaling, and active signal amplification. The chip is required by the spec. There is no such thing as a passive USB-C cable that runs at full speed.

The implication, which is starting to seep into mainstream awareness because the FBI tweeted about it and a security researcher named MG kept building progressively more alarming demonstration cables, is that the same connector and the same form factor can carry a hidden microcontroller, a Wi-Fi radio, and the ability to impersonate a keyboard the moment you plug it in. The cable looks the same. The weight is the same. The LED behavior is the same. The thing inside it is not.

This piece walks through what a USB-C cable actually does on the wire in 2026, what the malicious-cable category looks like (the O.MG cable in particular, because it is the one most often referenced in talks and news stories), what juice jacking is and is not, and the practical defenses that handle the realistic risk without turning travel into theater.

What is inside a normal USB-C cable

The USB-C connector has 24 pins. Not all of them are used in every cable, and which pins are wired up determines what the cable can do. The categories matter for the security story:

VBUS and GND: power and ground. Four pins each, to handle higher currents without melting. Every cable has these.
CC1 and CC2: the configuration channel. Two pins that the two ends use to figure out orientation (USB-C is reversible, so the cable has to tell the host which way round it is plugged in), to negotiate Power Delivery contracts (5V at 3A versus 20V at 5A versus 48V at 5A for the newer 240W Extended Power Range spec), and to identify the cable's E-marker chip if it has one.
D+ and D-: the legacy USB 2.0 data pair, kept for backward compatibility. Carries data at 480 Mbps.
TX1+/TX1-/TX2+/TX2- and RX1+/RX1-/RX2+/RX2-: the USB 3 SuperSpeed lanes. Two transmit pairs and two receive pairs. Cables that omit these pins can charge and run at USB 2 speeds but cannot do USB 3, Thunderbolt, or DisplayPort.
SBU1 and SBU2: sideband-use pins that carry DisplayPort, audio, or other alternate-mode signals.
E-marker chip: required on any cable rated above 3A or capable of USB 3 speeds. The chip lives in one of the plugs and is queried over the CC pins. It tells the host: "I am rated for 5A, I support 20 Gbps SuperSpeed, I am 1.5 meters long, here is my vendor ID."

The categories that matter for cable safety are: a power-only cable physically does not connect the D+/D- and SuperSpeed pins, so no data can move regardless of what either end wants to do. A standard charge-and-sync cable connects D+/D-. A full-speed USB 3 or Thunderbolt cable connects everything. The E-marker chip is on all higher-capability cables and has its own firmware and identifier - which is the seam that the malicious-cable category exploits.

Where the threat actually lives

There are two distinct things people mean by "USB security threat", and they get blurred together in news coverage.

The first is juice jacking in its original form: a public USB port (in an airport, a hotel room, a conference center) that has been physically modified to do something more than supply 5V. The modified port can attempt to negotiate a data connection with the device, can present itself as a USB host, and can in principle exfiltrate data or push a payload. This is the threat the FBI's Denver office warned about in April 2023 and which the Federal Communications Commission re-warned about a few weeks later. The underlying capability has been demonstrated since 2011; the practical risk to a typical traveler at a typical airport remains low because the logistics of physically compromising thousands of ports across an airport are unfavourable. The targeted-attack version - one modified port in a specific business lounge that a specific traveler is known to use - is more realistic.

The second is the malicious cable: a cable that contains additional electronics inside the plug, engineered to look identical to a genuine cable but capable of acting as its own attacker. The cable does not need a compromised port. Plug it into any USB host, and the cable itself runs the attack. This is the more interesting development of the last few years, because the cable can be left in someone's bag, on a desk, or in a charging-cable bin at a conference, and the target plugs it in voluntarily, thinking they have just borrowed a cable.

The O.MG cable, in concrete terms

The O.MG cable is the best-known example of the malicious-cable category, partly because the researcher (MG) has been openly developing and selling it through Hak5 since 2019, and partly because each new generation has visibly narrowed the gap with a genuine Apple or Anker cable. It is worth understanding in some detail, because it shows what is physically possible inside a connector that looks like a cable.

The cable has three things hidden inside one of the USB plugs:

A small ARM Cortex microcontroller, on the order of a few square millimeters of silicon. It handles the attack logic and can be reprogrammed in the field via the cable's own Wi-Fi interface.
A Wi-Fi chip with an antenna integrated into the plug molding. The cable can host its own access point or join a configured network, giving the attacker a remote control channel from up to a few hundred feet away. The latest generations also support geofencing - the cable will only activate when it is in a specified geographic area.
Storage for several scripts that the microcontroller can execute on plug-in. These are typically HID payloads (the cable announces itself to the host as a USB keyboard and types a sequence of keystrokes), but newer firmware also supports keystroke logging on hosts that the cable acts as a pass-through for, and limited data exfiltration over the Wi-Fi side channel.

Mechanically, the cable is the same length, the same color, the same flexibility, and the same weight as a genuine cable of the same type. There are O.MG variants matching Apple's Lightning cable, Apple's USB-C cable, generic USB-A to USB-C, and Apple's USB-C to Lightning. The cable's LED, where it has one, behaves identically to the genuine cable. You cannot identify it by eye, by feel, or by weight; the only reliable identification is electrical, with a USB analyzer that probes the device descriptors.

The attack flow is straightforward. The user plugs the cable into a laptop to charge their phone, or to mirror their phone screen, or to transfer files. The cable presents itself to the laptop as a USB HID device - a keyboard. The operating system trusts USB HID devices implicitly, because that is how every keyboard and mouse on every computer has always worked. The cable's microcontroller, on a delay or on a Wi-Fi trigger, starts typing: opens a terminal, runs a one-line download-and-execute command, or pastes a script. Within a second or two it has done its work and gone quiet, and the cable also still charges the phone the way the user expected.

The cable is sold openly to penetration testers and red teams for $180 at the time of writing. It is not a state-sponsored capability; it is a commodity tool that any motivated attacker can order online. The price has been roughly halving every two years.

What USB Restricted Mode actually does

Apple's USB Restricted Mode is the piece of operating-system plumbing most relevant to the cable threat on the phone side. It was introduced in iOS 11.4.1 in July 2018, originally as a response to law-enforcement device-unlocking boxes like the GrayKey and Cellebrite UFED that worked by repeatedly probing the Lightning port to brute-force the passcode. The countermeasure is simple in concept: after the phone has been locked for an hour (or sooner, configurable), the data lines of the port are physically disabled in software. The port can still carry power - the phone will charge - but it can no longer enumerate a USB device of any kind.

For the cable threat, the consequences are concrete. An O.MG cable plugged into an iPhone that has been locked for more than an hour cannot register as a keyboard, cannot transfer files, cannot probe the phone with a forensic tool, and cannot install or extract anything. It can still draw 5V from the phone's battery if the phone happens to be the host (some cables do), and it can charge the phone if the cable is plugged into a wall charger and the phone is the sink. That is the entire interaction. The cable's microcontroller is running, but it has no peripheral interface to interact with.

The toggle is in Settings, Face ID and Passcode, scroll down to "Accessories" (or "USB Accessories" on some iOS versions). The labeling is genuinely confusing: the toggle is "Allow accessories when locked", so the position you want - the one that activates USB Restricted Mode - is OFF. The default has been OFF (i.e. Restricted Mode is on) since iOS 12. iOS 17 added Lockdown Mode, which extends the protection further by disabling data connections any time the phone is locked, regardless of how recently. iOS 18 on the USB-C iPhones added an additional confirmation prompt before any USB accessory can connect - the closest equivalent to Android's long-standing "USB mode" picker.

The Android side is structurally similar with somewhat different defaults. Since Android 6, the initial USB mode when a cable is connected is "Charging only". To switch to File Transfer, MTP, PTP, or USB tethering, the user has to unlock the phone and explicitly change the mode. This means a malicious cable plugged into a locked Android phone cannot present itself as a USB device by default, and the keyboard injection attack does not work on a locked screen. The manufacturer's customisations (Samsung's One UI, Google's Pixel UI) tend to add an extra confirmation prompt before accepting an unfamiliar accessory. GrapheneOS, the security-focused Android distribution, adds a setting that completely disables the USB data lines when the screen is off, which is the strongest software-only defense in the category.

How to spot a sketchy cable, honestly

The honest answer is that you mostly cannot, by looking at it. The O.MG team designs the cables specifically to defeat visual inspection, and they have been getting better at it every year. There are a few low-confidence tells - a slightly longer USB-A plug, a marginally heavier connector, a thermal-camera image showing a warm spot inside the plug because the microcontroller is drawing power - but none of them are reliable enough to bet anything on.

The practical defenses are upstream of inspection.

Only use cables you bought yourself from a source you trust - Apple, Anker, Belkin, the device manufacturer's site. Do not plug in cables that arrived in conference swag bags, that you found in a hotel-room drawer, that a stranger handed you at the airport, or that you borrowed from a colleague you do not know well enough to vouch for their supply chain.
Label your own cables with colored tape, a small Sharpie mark, or a labeled cable tag, so you can tell yours apart from a substitute that might have been swapped into your bag. The cost is essentially zero and the benefit is that a swap becomes visible.
Carry a USB data blocker for the cases where you genuinely need to plug into an unknown port. A data blocker is a small USB-C-to-USB-C or USB-A-to-USB-A dongle that physically disconnects the data lines and only passes VBUS and GND. PortaPow, Hak5, and Plugable all sell them for under $20. They handle the public-USB-port version of the threat completely.
Keep a power-only cable in your bag for travel. Cables explicitly labeled "charge only" or "power only" omit the data pins entirely. Combined with a known-good wall charger or power bank, they reduce the attack surface to physics.
For high-stakes inspection, a USB power analyzer like the ChargerLAB Power-Z KM003C or the FNIRSI FNB58 will report which pins are conducting and what device descriptors the cable presents. A normal cable shows no device descriptors at all. A malicious cable shows a USB HID device, sometimes immediately on plug-in, sometimes after a delay (the O.MG cable's "stealth" mode delays the HID enumeration until the cable receives a Wi-Fi trigger, which is why a quick test can give a false-negative).

The realistic threat model for a normal person

It is worth being clear about who this attack is for and who it is not, because the news coverage tends to flatten the distinction.

The realistic threat is targeted. The attacker has decided in advance that you are the target - because you are a journalist, an executive at a company they want to breach, a public-sector official with access to information they want, an activist whose communications they want to read, or someone whose access to a specific system makes you a stepping-stone. They have invested in either modifying a port you are known to use, leaving a cable somewhere you will plug it in, or swapping a cable in your bag during a moment of physical access (a hotel cleaning visit, a checked-bag search at a border, a conference). For that threat model, the defenses in the previous section are not optional - they are the cost of doing the work.

For everyone else, the realistic threat is much lower. Mass attacks on public USB ports have not been documented at scale, because the economics do not favour them - the attacker has to compromise individual ports, the yield per compromised port is modest, and the kind of data a phone will surrender without unlocking is limited even before USB Restricted Mode is taken into account. The mainstream traveler who carries their own cable and their own charger, keeps USB Restricted Mode on (which is the default), and does not plug in random found objects is doing essentially all that needs to be done.

The cable category is one of the cases where the right response is neither "ignore the news" nor "buy a Faraday bag". It is to recognize that the threat exists, that the per-incident risk is low for most people, that the defenses are cheap, and that the small habits are worth adopting because they cost nothing.

A short checklist

Use your own cables and your own charger. Bring them on every trip. The wall socket is fine; the unknown USB port is the question.
Verify USB Restricted Mode is on (iPhone: Settings, Face ID and Passcode, Allow accessories when locked = OFF). On Android, leave the default USB mode at "Charging only" and unlock before changing.
Carry a $15 USB data blocker for the cases where you have no choice but to use an unknown port. It is smaller than a coin and handles the whole public-port category.
Keep a labeled power-only cable in your travel bag for when you want charging with zero data attack surface. Combined with a wall charger, this is the most defensive possible setup.
Do not plug in found cables. Conference swag, hotel-room drawers, airport seat pockets, lost-and- found bins. The cable in your hand should be one you remember buying or one that came in the original device packaging.
For high-stakes work, treat cables and ports the way you would treat USB sticks - never plug in anything you did not bring yourself, label everything, and consider a USB analyzer for genuine inspections.

Where this fits

Cable safety is the physical-layer version of a privacy posture whose other layers cover what travels on the wire once a connection is up. The conversation that survives long after the cable is unplugged is covered in the end-to-end-encryption piece. The question of what is left on the device when you press delete is covered in the delete piece. The second factor that protects the account a stolen cable might try to log into is covered in the passwords, MFA and passkeys piece. The cable itself is the first surface an attacker with physical proximity gets to touch, and treating it as the small computer it actually is closes the easiest opening in the chain.

Privvert's tools all run locally in the browser - no upload, no server in the middle, no cable required. The reasoning is on the privacy page, and the rest of the practical guides are on the blog.