Approximately a decade ago, Apple and Google began enhancing their respective operating systems, iOS and Android, to mitigate risks associated with a security threat known as “juice jacking.” This form of cyber attack can stealthily steal data or execute malicious software when users connect their devices to compromised charging stations. Recent research has unveiled that the protective measures implemented by these tech giants may contain significant vulnerabilities that render them easily bypassed.
The term “juice jacking” was first popularized in a 2011 article by KrebsOnSecurity, which described an attack showcased at the Defcon security conference. This attack involves tampering with charging hardware to covertly access a mobile device's files and internal resources, mimicking how a computer interacts with a phone. Cybercriminals can deploy these modified chargers in public spaces such as airports and shopping malls, offering users a seemingly safe way to recharge their devices while secretly downloading sensitive information or executing harmful code.
Starting in 2012, Apple and Google introduced countermeasures aimed at combating juice jacking. These measures required users to confirm any attempt by a computer or a charger posing as a computer to access their files or execute code on their devices. This approach was based on a critical aspect of the USB protocol, which stipulates that a USB port can function as either a “host” or a “peripheral” device, but not both simultaneously.
In practical terms, this means that a mobile device can either act as the host for connected peripherals, such as thumb drives or keyboards, or as a peripheral hosted by a computer or malicious charger. This architecture was believed to provide a robust defense against unauthorized access.
Researchers from the Graz University of Technology in Austria have recently discovered a flaw in this defense strategy. Their findings reveal that the original assumption—that USB hosts cannot autonomously inject input to approve confirmation prompts—is fundamentally flawed. The researchers introduced a new attack vector known as ChoiceJacking, the first known method to bypass existing juice jacking mitigations.
In their upcoming paper for the Usenix Security Symposium in Seattle, the researchers assert that the trust models in both iOS and Android present exploitable loopholes that attackers can leverage. They outline a platform-agnostic attack principle along with three specific techniques applicable to both operating systems, allowing malicious chargers to spoof user input and establish unauthorized data connections.
The alarming reality is that the attackers can gain access to sensitive user files—such as photos, documents, and app data—on devices from all tested manufacturers, including the six leading brands by market share. In response to these findings, Apple released an update for iOS/iPadOS 18.4 that now requires user authentication via a PIN or password before granting access to files. Meanwhile, Google also updated its confirmation process with the release of Android 15 in November. However, due to the fragmentation of the Android ecosystem, many devices remain vulnerable to the ChoiceJacking attack.
The ChoiceJacking methods work by manipulating the USB connection and exploiting various weaknesses in mobile operating systems. The charger behaves as a USB host to trigger the confirmation prompt, and subsequently exploits system vulnerabilities to autonomously inject input events—effectively clicking buttons or entering text as if the user were interacting with the device.
One specific variant of the ChoiceJacking attack involves the charger initially acting as a USB keyboard, sending keystrokes to navigate the device's settings and establish a Bluetooth connection using a secondary hidden keyboard within the malicious charger. By executing a series of USB Power Delivery (PD) Data Role Swaps, the charger can ultimately gain file access consent.
For Android devices, three distinct ChoiceJacking techniques have been identified. The first exploits the Android Open Access Protocol (AOAP), allowing a USB host to act as an input device. The second technique manipulates a race condition in the Android input dispatcher, flooding it with crafted input events. These techniques can lead to unauthorized access to files for any device that has not been properly updated or configured.
Many Android devices, especially older models or those running custom software interfaces, remain at risk due to the delayed implementation of necessary security updates. The researchers have warned that the slow response from manufacturers may stem from concerns about the impact of stricter security measures on user experience.
The most significant threat posed by ChoiceJacking is to Android devices with USB Debugging enabled. This option, often activated by developers for troubleshooting, can be exploited to gain shell access through the Android Debug Bridge. Once compromised, attackers can install apps, access the file system, and execute malicious files. This level of access is much more significant than the limited access through standard file transfer protocols.
In light of these findings, users are urged to remain vigilant when connecting their devices to public chargers and to consider disabling USB Debugging unless absolutely necessary. The growing prevalence of juice jacking underscores the need for ongoing awareness and proactive security measures to protect personal data.
