New ChoiceJacking Exploit Targets Android and iOS via Infected Charging Ports

A team of cybersecurity researchers from the Institute of Information Security and A-SIT Secure Information Technology Centre Austria has unveiled a new class of USB-based attacks on mobile devices, dubbed “ChoiceJacking.”

This attack revives and surpasses the notorious “juice jacking” threat from a decade ago, which prompted Apple and Google to introduce user confirmation prompts before allowing data transfers over USB.

ChoiceJacking, however, exposes fundamental flaws in these very mitigations, enabling malicious hackers to autonomously bypass user consent and compromise both Android and iOS devices.

– Advertisement –

How ChoiceJacking Works:

ChoiceJacking exploits the dual-use nature of USB ports on mobile devices, which serve both charging and data transfer functions.

The attack leverages the assumption built into current mobile operating systems that an attacker cannot inject input events (such as fake button presses) during the establishment of a data connection.

The researchers demonstrated that this assumption is false in practice, revealing three distinct attack techniques that manipulate USB protocols and input channels to trick devices into allowing unauthorized data access.

Key Attack Techniques:

• Technique 1 (Platform-agnostic): The malicious charger initially presents itself as a USB keyboard, sending commands to the device to enable Bluetooth and pair with a hidden Bluetooth keyboard embedded in the charger.
• This secondary channel is then used to confirm the data transfer prompt, all without user interaction. This method works on both Android and iOS.
• Technique 2 (Android-specific): The charger floods the device with keystrokes as a fake USB keyboard, overwhelming the input buffer.
• When the charger switches roles to a USB host and triggers the data transfer prompt, the leftover keystrokes automatically confirm the prompt, granting data access.
• Technique 3 (Android-specific, exploiting AOAP): The charger abuses flaws in the Android Open Accessory Protocol (AOAP) to simultaneously act as a USB host and input device, injecting the necessary confirmation keystrokes at the right moment to enable file transfer modes such as MTP (Media Transfer Protocol), PTP (Picture Transfer Protocol), or even ADB (Android Debug Bridge) for code execution

These attacks can be executed in as little as 133 milliseconds—faster than a human blink—making them virtually undetectable to users.

For stealthier operations, the researchers also demonstrated a power line side-channel: the charger monitors power usage patterns to identify moments when the user is not looking at the device, such as during phone calls, and launches the attack then.

Impact and Industry Response

The research team tested ChoiceJacking on 11 current-generation devices from eight major vendors, including Samsung, Apple, Google, Xiaomi, Oppo, Vivo, Huawei, and Honor.

They successfully extracted sensitive files—photos, documents, app data—from all tested devices. Notably, for two vendors (Honor and Oppo), the attack worked even when the device was locked.

On Xiaomi devices, the attack could enable ADB access, granting shell-level control even if developer mode was not previously enabled.

Public charging stations in airports, hotels, cafes, and other high-traffic venues are the primary risk vector, as attackers can easily swap or tamper with chargers in these environments.

The researchers responsibly disclosed their findings to all affected vendors.

Google, Samsung, Xiaomi, and Apple have acknowledged the vulnerabilities and are in the process of rolling out mitigations, including new CVEs (CVE-2024-43085 for Google and CVE-2024-20900 for Samsung).

ChoiceJacking demonstrates that the security of mobile devices at public charging stations remains a pressing concern.

Users are advised to avoid public USB charging ports and use their own chargers or USB data blockers until comprehensive fixes are deployed across all platforms.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!