ChoiceJacking: Researchers Bypass​ Mobile Defenses with Novel USB Attack

⁢While wireless data transfer has become commonplace, many smartphone users ⁤still rely on USB connections for charging via chargers, cars,‍ or laptops.​ Security researchers ​have uncovered a complex method to exploit these USB connections ⁢to extract data from devices,despite existing security measures.

The Evolution of Juice Jacking

​ ⁢ ⁢The threat of ‌malicious‍ chargers compromising devices, known as​ “Juice jacking,” isn’t‍ new.⁢ Security journalist Brian Krebs popularized ‍the ⁣term in‍ 2011, referencing a presentation at the ‍Defcon 19 hacker conference where public charging stations were rigged to display warning messages on connected smartphones.
⁢ ⁢

Countermeasures and Their Shortcomings

In response⁢ to the initial ⁤”Juice Jacking”⁢ threat, Apple and Google implemented safeguards, including warning prompts and confirmation dialogs when new USB devices are connected. They also patched security vulnerabilities in⁣ their mobile ‌operating systems to‌ prevent ⁣malware spread through this method.
⁢ ⁢

ChoiceJacking: A New Attack⁣ Vector

researchers Florian⁣ Draschbacher and Lukas Maar ⁣from TU graz ​in Austria have discovered a new technique, dubbed “ChoiceJacking,” that can circumvent some of these ‌defenses. Their method leverages a fake Bluetooth⁤ input device to⁢ manipulate the⁣ USB connection process.
⁣

⁢⁣ ‍ According to their findings, while iOS and Android ⁤prevent a‌ newly ‌connected USB device from immediately⁣ accessing data, the researchers found a way to bypass this⁢ restriction.
‍

Draschbacher and ‌Maar⁢ exploited this by establishing a Bluetooth connection to ⁣a prepared input device. This device then initiates a USB data query in a fraction ⁣of a second,effectively ‍”hijacking” ⁣the user’s ⁤choice to allow or deny the connection. this is⁤ facilitated by the USB ⁢Power Delivery (PD) mode,which allows for flexible role-switching ‍between the charging device and the host device.

Limitations and User Interaction

⁢ ‍ ⁣ The‍ “ChoiceJacking” technique isn’t foolproof. It requires the smartphone screen to be unlocked and is ⁢ineffective when the device ⁢is in a “Before First Unlock” (BFU) state. Though, ‌the researchers noted that users frequently enough interact with their phones while charging, making them less likely to notice the brief⁤ popup window ‌(lasting only 0.07 seconds in ​their tests)⁢ and prevent the attack.
​ ⁢

Patching the Gaps:⁣ Updates‌ and Vulnerabilities

The TU Graz researchers discovered that devices ⁤from Samsung,Xiaomi,and ‌Huawei,in addition to apple and Google devices,were susceptible to “ChoiceJacking.” Some devices remain vulnerable ⁤due to delayed updates. Furthermore,‌ not all vulnerabilities have been addressed in android 15, with some fixes perhaps slated ‍for a future version.

​ ‌ apple’s iOS 18.4 includes patches addressing USB implementation vulnerabilities and introduces an additional security measure.‌ Users are now required to unlock their devices with ⁤a PIN or‍ biometric authentication ‍to authorize USB data transfer.

⁤ ⁢ ⁤ Draschbacher suggests that the slow response to patching these vulnerabilities stems from a basic issue within the USB​ trust model of mobile operating ⁤systems, rather than simple programming errors.
​

As a temporary safeguard, users can employ a USB ‌data blocker, an intermediary device that physically interrupts ‌data connections.
​

​ Draschbacher and Maar presented their “ChoiceJacking” research at Black Hat Asia and at the Usenix Security Symposium.

choicejacking: Understanding the New Threat to Your Smartphone

Are you concerned about ⁣the ‍security of your smartphone when you⁣ plug it in to charge? You’re not⁣ alone. Security researchers have discovered a new attack method called “ChoiceJacking” that exploits USB connections to potentially access your data. Let’s dive into the details.

What is⁢ ChoiceJacking?

choicejacking is a⁢ new type of cyberattack that exploits vulnerabilities in how smartphones handle USB ⁣connections. It allows attackers to bypass security measures and potentially extract data from your device when⁣ it’s plugged into ‍a malicious charger.

How Does ChoiceJacking Work?

Researchers Florian Draschbacher and Lukas Maar from TU Graz in Austria discovered that ChoiceJacking uses a clever technique to manipulate the ⁣USB‍ connection process. Here’s a simplified breakdown:

1. The Setup: An attacker sets up a charging device (like a wall charger) ⁢that looks⁣ legitimate ‌but contains malicious components.
2. Bluetooth Trickery: The malicious charger establishes a Bluetooth connection to a prepared input device.
3. hijacking⁢ the Connection: This input device then rapidly initiates a USB data query, essentially “hijacking” your choice to allow or deny the connection. This happens so quickly (0.07 seconds⁤ in testing) that you might not even notice.
4. Data Access: Once the connection is established, the attacker could potentially ‍access data on​ your device.

What’s the Difference Between ChoiceJacking and Juice⁤ Jacking?

Juice Jacking is the older, more well-known threat. It involves malicious chargers that directly compromise your device when plugged in. ChoiceJacking is a‌ more refined evolution of this, circumventing some of the security measures put‌ in place to combat Juice Jacking.

What Security Measures Were in Place Before ⁣ChoiceJacking?

In response to the threat ​of Juice Jacking, Apple and Google implemented several safeguards:

Warning Prompts: ⁢ When you connect to a new USB device, you’re often presented with a warning.

Confirmation Dialogs: These dialogs ask you to confirm whether you ⁢want ⁤to allow data access.

Operating System ​Patches: Security updates were pushed out to​ fix vulnerabilities in mobile operating systems.

ChoiceJacking,however,found a way around some of these protections.

Which Devices Are Vulnerable⁤ to choicejacking?

The research from TU Graz found that devices from ‍several major manufacturers were susceptible to this attack, including:

⁣ Samsung

Xiaomi

Huawei

Apple

⁢ google

Is My Phone​ Protected? What About Android 15 and iOS 18.4?

While ChoiceJacking is a serious threat,‌ developers are actively working to patch vulnerabilities.

Android 15: While the source material notes that not all vulnerabilities have been addressed in​ Android 15, some fixes may be included in a future version.

iOS 18.4: apple’s iOS 18.4 includes patches that ‌address USB implementation vulnerabilities and implements a new security measure requiring users to unlock their devices with a PIN or biometric authentication to authorize USB data transfer.

What Are the Limitations of ChoiceJacking?

ChoiceJacking isn’t a perfect attack. Here are its limitations:

Screen Unlocked required: The phone screen needs to be unlocked for the attack to work.

BFU State Protection: The attack is ineffective if the device is in a “Before First Unlock” (BFU) state.

However, users often interact with their⁢ phones while charging, making them less ⁢likely to notice the⁢ very brief popup window that allows the attack⁤ to succeed.

How Can I Protect Myself From ChoiceJacking?

Here’s‌ how to protect your device⁢ from ChoiceJacking and similar attacks:

Be Careful Where You charge: ‍ Avoid using public USB charging stations.

Use⁢ Your Own Charger and Cable: Whenever possible,use your own charger and cable,especially in unfamiliar locations.

* USB Data Blockers: Consider using a USB‍ data blocker. This is‌ a small​ device that physically interrupts the data connection, allowing only power to pass through.

What ⁤is a USB Data Blocker and How Does it Work?

A USB data blocker is a small, inexpensive device that sits ⁣between your charging cable ⁣and your phone. It only⁣ allows⁣ power to pass