In the ever-evolving landscape of cybersecurity, a new and sophisticated attack method known as ChoiceJacking has emerged, posing significant risks to mobile device users. This technique enables malicious charging stations to compromise smartphones and tablets, effectively circumventing security measures that have been in place for over a decade.
Understanding Juice Jacking
To appreciate the severity of ChoiceJacking, it’s essential to understand its predecessor: juice jacking. First identified in 2011, juice jacking involves tampering with public USB charging stations or cables to access or steal data from connected devices. Attackers exploit the dual functionality of USB ports, which can transfer both power and data, to install malware or extract sensitive information without the user’s consent.
In response to this threat, Apple and Google implemented security measures starting in 2012. These included prompts requiring user consent before establishing a data connection, aiming to prevent unauthorized access. However, recent research indicates that these defenses contain critical design flaws, rendering them ineffective against advanced attacks like ChoiceJacking.
Introducing ChoiceJacking
Researchers at Graz University of Technology in Austria have unveiled ChoiceJacking, a novel attack that autonomously spoofs user consent to establish unauthorized data connections. By leveraging the USB protocol and exploiting operating system vulnerabilities, malicious chargers can inject input events that approve security prompts automatically, without the user’s knowledge.
Mechanics of the Attack
The ChoiceJacking attack unfolds in three primary stages:
1. Initial Connection: The victim connects their unlocked device to a compromised charger.
2. Input Event Injection: The charger masquerades as a USB keyboard, manipulating device settings and establishing a hidden secondary connection.
3. Data Access: The charger initiates a data connection and confirms access permissions through spoofed input events.
This method affects devices from eight major vendors, including all of the top six smartphone manufacturers by market share.
Detailed Attack Techniques
The researchers identified three specific techniques employed in ChoiceJacking:
1. Android Open Accessory Protocol (AOAP) Abuse: By exploiting improper handling of USB accessory mode, attackers can gain unauthorized data access.
2. Input Dispatcher Race Condition: Overloading Android’s input queue allows attackers to execute unauthorized commands while bypassing user prompts.
3. Bluetooth Pairing Exploitation: The charger enables Bluetooth on the victim’s device, pairs with it, and uses this hidden connection to accept file-sharing prompts without the user’s knowledge.
These methods have proven effective against multiple Android devices, with unauthorized access established in less than 30 seconds.
Patch Status and Affected Devices
To mitigate the ChoiceJacking vulnerability, Apple and Google have released updates:
– Apple: The fix is included in iOS/iPadOS 18.4 and is associated with CVE-2025-24193.
– Google: The flaw is patched in Android 15, tracked under CVE-2024-43085.
– Samsung: The related vulnerability is registered as CVE-2024-20900.
– Huawei: Affected devices are listed under CVE-2024-54096.
While flagship devices from Apple and Google have been secured, many Android devices, especially those from third-party manufacturers and Samsung models using One UI 7, remain vulnerable due to delayed or incomplete adoption of new security requirements.
Practical Implications and User Recommendations
Although ChoiceJacking is a sophisticated and concerning threat, there are no known active attacks exploiting it in the wild. However, users of Android devices not updated to Android 15, or those with USB Debugging enabled, are at elevated risk. Enabling USB Debugging can allow an attacker shell-level access via Android Debug Bridge (ADB), leading to far greater compromise than standard file transfer exploits.
To minimize risk:
– Avoid Public USB Charging Stations: Use personal charging cables with wall adapters instead of public USB ports.
– Disable USB Debugging: Unless absolutely necessary, keep USB Debugging turned off.
– Keep Devices Updated: Ensure your device is running the latest operating system version with enhanced USB authentication.
The industry’s slow response to this vulnerability is partially due to concerns about user experience, as new protections require users to authenticate with a PIN, password, fingerprint, or face ID to authorize USB data connections, adding friction to previously simple tasks.
Conclusion
The discovery of ChoiceJacking underscores the evolving nature of cybersecurity threats and the importance of maintaining robust defenses. As attack techniques become increasingly sophisticated, users must remain vigilant and adopt best practices to protect their devices and personal information.
