20.5k unique visitors in the last 3 days

Choicejacking: A New Way to Compromise Mobile Phones through Public Charging Points

Researchers used cheap chargers to circumvent operating system controls and download files from phones in just one-third of a second.

Most of us who travel will have occasionally paused before plugging a mobile phone into a public charging point. What if the port that is being used to supply electricity to the handset has been subverted by hackers who will use the connection between the port and the phone to upload malware and download personal data? Most people will take a chance if the alternative is that their phone battery will run dry.

Juicejacking was a genuine risk a decade ago but it was addressed by simple improvements to mobile operating systems. If a port says it supports a data transfer protocol, such as Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP), then the phone asks the user if they want to permit the transfer of data. However, researchers at Austria’s Graz University of Technology have discovered an update to juicejacking that they have named choicejacking. Their work concentrated on using malicious chargers to gain file access or code execution on mobile devices.

In a paper to be presented at next week’s Usenix Security Symposium, Florian Draschbacher, Lukas Maar, Mathias Oberhuber and Stefan Mangard detail a family of techniques that bypass the controls which are supposed to prevent juicejacking. Data transfer can now been initiated by impersonating the user input that permits transfers with legitimate USB and Bluetooth devices. These weaknesses affect Android and some iOS devices.

The tests succeeded in obtaining sensitive user files from devices made by all of the six largest vendors by market share. Two vendors, Oppo and Honor, sold devices that even allowed files to be extracted while the device was locked.

Per the researchers’ findings, compromised handsets can be forced to transfer data in a mere 133 milliseconds, although the average extraction time was a relatively languid one-third of a second. Instead of the user seeing a warning message pop up on their phone’s display, data is transferred before the user has any chance of detecting something is wrong. Even the most attentive user will only have a momentary flickering of their screen that indicates something unusual is happening. Personal files and photographs will have been copied from the victim’s device before they are able to rip the cable from their phone.

The researchers said their work…

…reveals an alarming state of USB security on mobile platforms.

Perhaps the scariest aspect of the weaknesses they found is that they can be exploited by ‘cheap’ chargers modified by hackers. Cost is a major factor in determining how bad actors exploit a vulnerability. Criminals will not spend willy-nilly on modifying charging ports around the world, but if the costs are low then there will be an adequate pay-off if they want to focus on places where very many people will seek to recharge their devices every day. Target locations will include airport departure lounges and city center cafés.

The vulnerabilities that were identified have been responsibly disclosed to all the vendors whose devices were tested. Google, Samsung, Xiaomi and Apple were among the vendors who said they would make changes to address the vulnerabilities. Google and Samsung have already assigned CVEs. However, one vendor was not responsive.

The Usenix paper, “Choicejacking: Compromising Mobile Devices through Malicious Chargers like a Decade ago”, can be seen here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email