Anonymity Data Theft while Charging.


Fixxx

Fixxx

Moder
Joined
20.08.24
Messages
733
Reaction score
2,534
Points
93
1752461542222.jpeg

Is it possible to download or erase your photos and other data from your smartphone while it charges at a public charging station; in transport, at a clinic, at the airport and so on? Despite manufacturers' precautions, this can sometimes happen. The idea of such attacks was first considered in 2011 - if an innocuous-looking USB charging port not only supplies electricity but also contains a hidden computer, it can connect to a smartphone in data transfer mode (Media Transfer Protocol, MTP or Picture Transfer Protocol, PTP) and download some information from the device. This attack was named Juice-Jacking, and Google and Apple quickly devised a defense: when connecting to a device that supports MTP/PTP, the smartphone asks whether to transfer data or just charge. For many years, this simple precaution removed the issue from the agenda, but in 2025, researchers from Graz University of Technology discovered that this protection method could be bypassed.


ChoiceJacking Attack

In new attacks, a malicious device disguised as a charging station itself confirms that the victim "wants" to connect in data transfer mode. Depending on the manufacturer and OS version, there are three variations of the attack. All of them circumvent one limitation of the USB protocol: a device cannot simultaneously connect as a host (computer) and a peripheral (mouse or keyboard).
  • The first variation of the attack: effective for both iOS and Android, is the most complex to implement. A microcomputer must be disguised as a charging station, capable of connecting to the smartphone as a USB keyboard, USB host (computer) and Bluetooth keyboard. When the smartphone is connected, the malicious charging station pretends to be a USB keyboard and sends commands to enable Bluetooth and connect to a Bluetooth device on the smartphone - the same malicious device that now also pretends to be a Bluetooth keyboard. After this, the attacking system reconnects to the smartphone via USB, but now as a computer. A prompt appears on the screen asking whether to enable data transfer mode and the attacking device sends confirmation using the Bluetooth keyboard.
  • The second variation of the attack: only for Android - doesn't require a Bluetooth connection. The malicious charger pretends to be a USB keyboard and sends a large number of "key presses" to the smartphone, overflowing the smartphone's keyboard buffer. While the operating system responds to all these meaningless key presses, the charger disconnects and reconnects as a computer. A prompt appears asking "in what mode to connect" and just as the keyboard queue ends, a key combination corresponding to consent for data transfer mode (MTP, PTP or even debugging ADB) is recorded at the end.
  • The third variation of ChoiceJacking for Android is based on the fact that all verified smartphones incorrectly implement the Android Open Access Protocol standard. The attacking device immediately connects to the smartphone as a computer and when the confirmation screen appears, it sends the necessary keyboard events via AOAP. According to the standard, simultaneous operation in USB host and AOAP modes is prohibited, but in practice, this prohibition is not enforced.

Which Devices Are Protected from USB ChoiceJacking

Apple and Google have blocked these attack methods in updates to iOS/iPadOS 18.4 and Android 15. Now, to confirm data transfer via USB, it's necessary not just to press "Yes", but to undergo biometric authentication or enter a password. Unfortunately, in Android, the version of the OS doesn't guarantee that the smartphone is not vulnerable. For example, Samsung devices using the One UI 7 interface don't request authentication even after updating to Android 15. Therefore, Android device owners who have updated to Android 15 are advised to connect their smartphones to a known safe computer via cable and check whether they need to confirm the connection with a password or biometrics. If not, avoid public charging stations.


How Serious Is This

Although law enforcement occasionally warns about USB data theft attacks, real attacks have never been publicly described. This doesn't mean they have not occurred, but the threat is clearly not widespread. Those who fear such attacks should charge only from their trusted charger, a power bank or use USB blockers - adapters that allow only electricity to pass through the cable to the smartphone, cutting off data transmission. This adapter, also known as a "USB Condom". is 100% effective but may slow down the charging of modern smartphones because it doesn't allow the data needed for Quick Charge negotiation. However, a cheap "charging-only" USB cable, which doesn't transmit data, can also suffice, but it must first be tested on a trusted computer to ensure that no data transfer prompt appears on the smartphone screen and then it must be carried around all the time. And you will have to forget about Quick Charge. The most important and widespread protection will be updating to the latest versions If you find yourself in a situation with an outdated OS on your smartphone, without a blocker, and you really need to charge from the nearest USB port, just be attentive while charging: when connecting, watch the phone's screen and if it doesn't just start charging but offers a choice of connection type, select "charging only".
Recommendations
  • Use only the "Charging Only" mode.
  • Carry your own cable and power adapter (connect to a wall outlet rather than someone else's USB port).
  • Use USB protection (USB Condom) - a special adapter that disables data transmission contacts.
  • Don't unlock your phone when connected to a public charging station.
  • Enable USB-OTG protection (in Android, found in developer settings).
  • Use a power bank instead of public charging stations.
And never connect to free/unsecured Wi-Fi networks!
 
You must log in or register to reply here.
Top Bottom