ChoiceJacking: Researchers bypass USB lock on Android and iOS

Although a lot of data now flies wirelessly to the cloud, smartphone users still often plug their devices into a charger, car or laptop via USB. Using a multi-stage trick, security experts have succeeded in tapping data from the devices via these remote stations – although this should no longer be possible for more than a decade. Florian Draschbacher and Lukas Maar from Graz University of Technology found a back door in the USB implementation in Android and iOS.

Chargers that not only supply power, but also tap into data or even install malware: This scenario describes the "JuiceJacking" attack method. Back in 2011, security journalist Brian Krebs coined the catchy name for the method, which was presented by a group of security researchers using public charging terminals at the DefCon 19 hacker conference. Anyone who connected their smartphone there would see a warning message on their screen.

JuiceJacking is a thing of the past

Apple and Google responded with several countermeasures, primarily with warning messages and confirmation dialogs the first time a new USB device was connected. The manufacturers also fixed security gaps in the mobile operating systems to prevent malware from spreading via JuiceJacking.

However, the new version, dubbed ChoiceJacking by its Austrian discoverers, can partially overcome these countermeasures. To do this, the Graz researchers use a second input channel, namely a similarly counterfeit Bluetooth input device. As the PhD students discovered, iOS and Android did not allow a freshly plugged-in USB device to read out data, but they did allow it to make entries.

Draschbacher and Maar exploited this fact to establish a Bluetooth connection to the prepared input device. This in turn turned the tables and nodded off a USB data query in a fraction of a second. Hence the name: the choice to be made by the user to allow certain device connections is "hijacked" by the attack. This is made possible by the USB mode PD (Power Delivery), which allows the roles between the connected peripheral device and the host device to be reversed.

However, the procedure does not always work without the victim's help: the smartphone screen must not be locked, nor does the trick work when the device is switched off or in "Before First Unlock" (BFU) mode. However, according to the Austrians, anyone who plugs their device into a terminal to charge it often continues to use it during the charging process and has no chance of seeing the pop-up, which only flashes up for seven hundredths of a second in tests, let alone canceling it.

Gaps only partially fixed by updates

The researchers from Graz found further attack scenarios with which they were able to attack devices from Samsung, Xiaomi and Huawei in addition to Apple's and Google's own devices. Some of these are still vulnerable to ChoiceJacking because they have not yet received an update to fixed Android versions. In addition, not all attacks have already been fixed in Android 15; Google will probably only patch some of them in the next version.

iOS 18.4 also patches the holes in Apple's USB implementation – as well as JuiceJacking with an additional security prompt. Users now have to unlock the device using a PIN or biometrics if they want to connect USB devices and allow them to transfer data. This is also the reason for the hesitant implementation of security patches, says Draschenbacher: "The reason for this slow reaction is probably that it is not simply a programming error. Rather, the problem is more deeply rooted in the USB trust model of mobile operating systems. Changes here have an impact on user-friendliness, which is why manufacturers are hesitant." If you want to protect yourself in the meantime, you can use a USB data blocker, an adapter plug for interrupting data connections, which is also sold in the heise store.

The discoverers presented ChoiceJacking at BlackHat Asia (presentation slides in PDF format) and have also placed their paper at this year's edition of the renowned USENIX Security Symposium (PDF version).

(cku)