The Madrid Metro had an adorable idea: install USB ports in the carriages so you can charge your phone during the journey. The blue sign proudly announces “Este tren es tu cargador” – this train is your charger. Nice, right?
Your CISO just spilled their coffee.
Because plugging your phone into an unknown USB port is a bit like accepting a USB stick found in a parking lot. We all know it’s a bad idea, and yet… a 4% battery has a remarkably persuasive power.
What exactly is juice jacking?
Juice jacking exploits a technical detail many people ignore: a USB cable carries both power AND data. When you plug your phone into a compromised public charging point, you potentially open a two-way highway into your device.
An attacker who has modified the port can, depending on sophistication, extract your contacts, photos, files, authentication tokens, or outright install malware in the background while you watch the stations go by. All silently. In under 3 minutes.
The threat is serious enough that both the FCC (Federal Communications Commission) and the FBI have published official warnings. The OWASP Mobile Top 10 also lists this attack vector among the most common mobile risks. This is not theory.
But the Madrid Metro is official, right?
Yes. And that’s exactly what makes it interesting.
A compromised official infrastructure is far more dangerous than a dodgy fake terminal stuck in a shady corridor. Why? Because you let your guard down. You trust the Metro logo. You don’t look twice at the USB port.
The security chain of a public transport network around maintaining every USB port in every carriage is… let’s say it’s not their top priority. Between keeping trains running and auditing USB ports, the choice is quickly made. A patient attacker knows this very well.
The CISA (Cybersecurity and Infrastructure Security Agency) has specifically warned about this type of risk in public infrastructure. The OWASP Mobile Top 10 documents it as a recurring attack vector. Worth taking seriously.
Good habits, without going paranoid
Charge-only cable: USB cables exist that only carry power, not data. They cost next to nothing. Your IT department will thank you.
USB condom: yes, that’s really what it’s called. It’s a small adapter that physically blocks the data pins. Effective, discreet, easy to slip into a bag.
Power bank: the simplest and cleanest solution. You charge from your own source, full stop. Zero interaction with public infrastructure.
Trust mode: on iOS and Android, when you plug a cable into a new port, your phone asks if you trust the device. The right answer on a metro is no.
It’s not paranoia, it’s digital hygiene
The Madrid Metro was right to install these ports. It’s a genuine service. But between good intentions and regularly security-audited infrastructure, there’s a gap nobody really measures.
So enjoy the ride. Admire the station architecture. But keep your charge-only cable in your pocke