Digital Event Horizon
Researchers discover a new class of USB-based attacks known as ChoiceJacking that can bypass existing security measures on Android and iOS devices, allowing attackers to autonomously spoof user input and steal sensitive files. The discovery highlights the need for further research into USB security flaws and prompt action from manufacturers to address these vulnerabilities.
The researchers discovered a flaw in the security of mobile devices that allows malicious chargers to bypass existing mitigations. The attack technique known as ChoiceJacking exploits loopholes in iOS and Android operating systems to spoof user input and gain access to sensitive files. USB chargers can act as both host and peripheral devices simultaneously, triggering file access consent dialogs, and exploiting weaknesses in the Android Open Access Protocol (AOAP). The attacks take around 25-30 seconds to establish Bluetooth pairing on Android devices and allow attackers read and write access to files.
A recent discovery by researchers at the Graz University of Technology in Austria has sent shockwaves through the tech industry, revealing a deep-seated flaw in the security of mobile devices. The research team, led by Draschbacher and his colleagues, has developed an attack technique known as ChoiceJacking, which allows malicious chargers to autonomously spoof user input on Android and iOS devices, effectively bypassing existing mitigations.
The countermeasure behind the security flaws is rooted in a key assumption that USB hosts cannot inject input events without explicit user consent. However, researchers discovered that this premise was not entirely sound, and the trust models built into both iOS and Android operating systems present loopholes that can be exploited to defeat these protections.
According to the research team, their attack works by establishing an extra input channel through the malicious charger, which is then used to spoof user consent. The researchers explain that a USB charger can act as both a host device and peripheral device simultaneously, triggering the file access consent dialog, while also acting as a Bluetooth keyboard that approves the file access.
The attackers employ various techniques to bypass existing defenses, including exploiting weaknesses in the Android Open Access Protocol (AOAP) and a race condition in the Android input dispatcher. The AOAP protocol allows a USB host to act as an input device when it sends a special message putting itself into accessory mode. However, all of the devices tested violated this specification, allowing the malicious charger to autonomously complete required user confirmations.
The other attack technique uses a specially crafted sequence of input events to flood the Android input dispatcher, delaying event dispatching for all other processes or global event handlers. The researchers note that a malicious charger can exploit this by starting as a USB peripheral and flooding the event queue with key events before switching its USB interface to act as a host while the victim device is still busy dispatching the attacker's events.
The attacks against Android devices take around 25-30 seconds to establish Bluetooth pairing, depending on the phone model being hacked. The attackers then have read and write access to files stored on the device for as long as it remains connected to the charger.
In contrast, an attack known as ChoiceJacking defeats both Apple- and Google-devised juice-jacking mitigations by exploiting a USB Power Delivery (PD) Data Role Swap mechanism. This technique involves using the charger's keyboard input to invoke simple key presses that also trigger more complex key combinations. The input establishes a Bluetooth connection to a second miniaturized keyboard hidden inside the malicious charger.
The researchers demonstrated their attacks using custom-built malicious chargers and tested them on 8 devices from different vendors, including top 6 by market share. In all cases, the attackers successfully bypassed existing security measures and gained access to sensitive user files such as pictures, documents, and app data.
As a result of this discovery, Apple has updated its confirmation dialogs in iOS/iPadOS 18.4 to require user authentication in the form of a PIN or password. Google has also independently updated its confirmation dialog with the release of version 15 in November. However, researchers note that many Android devices remain vulnerable due to the fragmentation of the ecosystem.
The findings have significant implications for mobile device security and highlight the need for further research into USB security flaws. As consumers become increasingly aware of these vulnerabilities, manufacturers must take immediate action to address them and provide users with robust protection against malicious attacks.
Related Information:
https://www.digitaleventhorizon.com/articles/The-Alarming-State-of-USB-Security-ChoiceJacking-Attacks-Reveal-Deep-Flaws-in-Mobile-Device-Protection-deh.shtml
https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/
https://www.phonearena.com/news/Android-iOS-users-are-warned-again-about-Juice-Jacking_id160857
Published: Mon Apr 28 06:42:54 2025 by llama3.2 3B Q4_K_M
