A recent study has revealed alarming vulnerabilities in the infrastructure designed to protect iOS and Android users from a rare but potential digital threat known as ‘juice jacking.’
This term was first introduced in 2011 by KrebsOnSecurity when it showcased an attack demonstrated at a Defcon security conference.
Juice jacking typically occurs when users plug their phones into malicious charging devices disguised as legitimate chargers, potentially enabling attackers to steal sensitive data or run harmful code without the victim’s knowledge.
Both Apple and Google launched efforts starting in 2012 to combat juice jacking by requiring user confirmation before giving any external device access to the phone’s files or executing code on the device.
This measure was based on a foundational aspect of the USB protocol stating that a device cannot function simultaneously as a host and a peripheral.
Thus, at any given moment, a mobile phone could either provide access to its internal resources as a host (e.g., connecting to a thumb drive) or be a peripheral of an external device, such as a computer or malicious charger.
However, researchers from Graz University of Technology in Austria recently found that years of mitigations aimed at reducing the juice jacking threat have been fundamentally flawed.
Their research indicates that the assumptions underlying both Apple’s and Google’s countermeasures—that a USB host cannot provide input that automatically approves user consent—do not hold in practice.
The researchers introduced a novel attack termed ChoiceJacking, which cleverly circumvents the existing juice jacking defenses.
In their upcoming paper for the Usenix Security Symposium in Seattle, they noted that the current mitigations underestimated an attacker’s ability to autonomously inject input events during the establishment of a data connection.
The research team presented a platform-independent attack method along with three specific techniques tailored for both Android and iOS, allowing malicious chargers to spoof user input seamlessly.
In their tests, they successfully gained access to sensitive files on all devices from eight manufacturers, including the six leading models in terms of market share.
In response to these findings, Apple rolled out updates in the latest version of iOS and iPadOS 18.4, enhancing the confirmation dialogs to require user authentication via a PIN or password for file access approval.
Simultaneously, Google released its update in November, adjusting its confirmation mechanisms to address the vulnerabilities exposed by the researchers.
While these security improvements seem effective in their latest releases, the heterogeneous nature of the Android ecosystem means that numerous devices remain exposed to ChoiceJacking.
The researchers highlighted that all three types of ChoiceJacking attacks easily bypass the original defenses Apple and Google implemented against juice jacking.
In one variant that affects both platforms, the malicious charger initially operates as a USB keyboard, inputting keystrokes to the device, including complex commands to navigate system setting screens.
Through the USB Power Delivery technology unique to modern USB-C connectors, the charger manipulates connections, enabling it to switch roles from peripheral to host.
This role reversal allows the charger to trigger the file access consent dialog to ensure connection, while simultaneously confirming consent via Bluetooth pairing.
A clear step-by-step breakdown of the attack reveals how it establishes connections to the mobile device within 25 to 30 seconds, depending on the model, thereby providing the attacker with unwarranted access.
In total, the procedure details how the charger initially connects, invokes a Data Role Swap, ensures Bluetooth accessibility, and successfully completes authorization to gain data access.
Two additional ChoiceJacking techniques only apply to Android’s specific protections implemented by Google.
The first exploits the Android Open Access Protocol, which allows a USB host to behave as an input device when invoking accessory mode.
All tested devices, however, demonstrated a problematic lack of adherence to specifications, making this attack particularly effective.
The second method capitalizes on a race condition within the Android input dispatcher, flooding it with inputs to disrupt normal processing and facilitate unauthorized data connection approval.
According to the researchers, while Apple and Google effectively fortified certain devices from ChoiceJacking vulnerabilities, many Android brands are still unprotected due to slower update rollouts.
Specifically, devices using older versions of Android or those manufactured by companies like Samsung, which do not implement the required user authentication protocols, remain at risk.
Florian Draschbacher, the lead author of the paper, pointed out that even after notifying manufacturers over a year ago, a slow response is likely due to the deeper issue within the USB trust model of mobile operating systems.
Any change could compromise user experience, leading to delays that manufacturers tend to avoid.
When specifically focusing on the potential risks posed by ChoiceJacking, Android devices with USB debugging enabled represent a particularly high risk.
This setting is often activated by developers needing access for troubleshooting or by non-developers to sideload apps and recover devices.
If a device is compromised while in USB Debugging mode, attackers can gain shell access via the Android Debug Bridge, dramatically increasing their level of access to the phone’s system and files.
From the insights of recent research and underlying vulnerabilities still present in many devices, it is critical for users to remain aware of the risks associated with public charging, particularly in high-traffic areas.
As both iOS and Android platforms continue to adapt to these security challenges, user vigilance and timely software updates will remain vital in the ongoing battle against such vulnerabilities.
image source from:https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/
