Most of us who travel will have occasionally paused before plugging a mobile phone into a public charging point. What if the port that is being used to supply electricity to the handset has been subverted by hackers who will use the connection between the port and the phone to upload malware and download personal data? Most people will take a chance if the alternative is that their phone battery will run dry.
Juicejacking was a genuine risk a decade ago but it was addressed by simple improvements to mobile operating systems. If a port says it supports a data transfer protocol, such as Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP), then the phone asks the user if they want to permit the transfer of data. However, researchers at Austria’s Graz University of Technology have discovered an update to juicejacking that they have named choicejacking. Their work concentrated on using malicious chargers to gain file access or code execution on mobile devices.
In a paper to be presented at next week’s Usenix Security Symposium, Florian Draschbacher, Lukas Maar, Mathias Oberhuber and Stefan Mangard detail a family of techniques that bypass the controls which are supposed to prevent juicejacking. Data transfer can now been initiated by impersonating the user input that permits transfers with legitimate USB and Bluetooth devices. These weaknesses affect Android and some iOS devices.
The tests succeeded in obtaining sensitive user files from devices made by all of the six largest vendors by market share. Two vendors, Oppo and Honor, sold devices that even allowed files to be extracted while the device was locked.
Per the researchers’ findings, compromised handsets can be forced to transfer data in a mere 133 milliseconds, although the average extraction time was a relatively languid one-third of a second. Instead of the user seeing a warning message pop up on their phone’s display, data is transferred before the user has any chance of detecting something is wrong. Even the most attentive user will only have a momentary flickering of their screen that indicates something unusual is happening. Personal files and photographs will have been copied from the victim’s device before they are able to rip the cable from their phone.
The researchers said their work…
…reveals an alarming state of USB security on mobile platforms.
Perhaps the scariest aspect of the weaknesses they found is that they can be exploited by ‘cheap’ chargers modified by hackers. Cost is a major factor in determining how bad actors exploit a vulnerability. Criminals will not spend willy-nilly on modifying charging ports around the world, but if the costs are low then there will be an adequate pay-off if they want to focus on places where very many people will seek to recharge their devices every day. Target locations will include airport departure lounges and city center cafés.
The vulnerabilities that were identified have been responsibly disclosed to all the vendors whose devices were tested. Google, Samsung, Xiaomi and Apple were among the vendors who said they would make changes to address the vulnerabilities. Google and Samsung have already assigned CVEs. However, one vendor was not responsive.
The Usenix paper, “Choicejacking: Compromising Mobile Devices through Malicious Chargers like a Decade ago”, can be seen here.



