275/68 Thursday, July 31, 2025
Cybersecurity researchers from Graz University of Technology in Austria have unveiled a novel attack technique called “Choicejacking,” which tricks smartphones into enabling USB data transfer without user consent, bypassing protections originally designed to prevent Juice Jacking attacks. By simply plugging a phone into a compromised public charger or USB cable embedded with this attack system, the phone is deceived into believing the user has manually approved data transfer-even though the user never touched the screen. The attack takes just 133 milliseconds, faster than the blink of an eye.
Unlike traditional malware-based attacks, Choicejacking doesn’t rely on installing malicious software. Instead, it emulates input devices such as keyboards or mice over USB or Bluetooth to send commands to the phone on the user’s behalf-such as granting data access or silently enabling developer mode. The victim remains unaware of the intrusion. Once access is gained, attackers can extract photos, read messages, or even install malicious software. While modern Android and iOS systems alert users to USB connections, Choicejacking can bypass these permission prompts entirely in certain scenarios.
Experts warn that public charging stations-such as those found in airports, hotels, and cafes-may pose hidden risks, especially when using chargers or cables that don’t belong to the user. To stay safe, individuals are advised to carry their own power banks, use wall outlets directly, enable “charge only” mode if available, and keep their devices updated with the latest software to mitigate newly discovered vulnerabilities. This technique will be officially presented at the 34th USENIX Security Symposium in August 2025, highlighting how attackers continue to innovate deceptive tactics to exploit users.
Source https://hackread.com/choicejacking-attack-steals-data-phones-public-chargers/
