{"id":24126,"date":"2025-05-27T06:54:27","date_gmt":"2025-05-27T10:54:27","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24126"},"modified":"2025-05-27T14:59:51","modified_gmt":"2025-05-27T10:59:51","slug":"data-theft-during-charging-choicejacking-protection","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/data-theft-during-charging-choicejacking-protection\/24126\/","title":{"rendered":"Data theft during smartphone charging"},"content":{"rendered":"

Can your photos and other data be downloaded or erased from your smartphone while it\u2019s charging from a public charging port \u2014 on public transport, in a clinic, at the airport, and so on? Despite manufacturers\u2019 safety measures, it\u2019s sometimes possible.<\/p>\n

Hackers first came up with such attacks way back in 2011<\/a>: if an innocent-looking USB charging port doesn\u2019t just supply electricity but contains a hidden computer, it can connect to your smartphone in data-transfer mode using the Media Transfer Protocol<\/a> (MTP) or Picture Transfer Protocol<\/a> (PTP) and extract data from the device. This attack became known as juice-jacking<\/a>, and both Google and Apple quickly came up with a safeguard: when a smartphone is connected to a device supporting MTP\/PTP, it asks the user whether to allow data transfer or just charge. For many years, this simple precaution seemed to solve the problem\u2026 until 2025 \u2014 when researchers from Graz University of Technology in Styria, Austria, discovered a way to bypass it.<\/p>\n

ChoiceJacking attack<\/h2>\n

In the new attacks<\/a> \u2014 dubbed ChoiceJacking attacks \u2014 a malicious device disguised as a charging station confirms on its own that the victim supposedly wants to connect in data-transfer mode. Depending on the manufacturer and OS version, there are three variants of the attack. Each variant finds a different way to bypass a certain limitation in the USB protocol: a device cannot operate in both host mode (as a computer) and peripheral mode (e.g., as a mouse or keyboard) at the same time.<\/p>\n

The first method <\/strong>is the most complex but works on both iOS and Android. A microcomputer is disguised as a charging station. This microcomputer can connect to a smartphone as a USB keyboard, USB host (computer), and Bluetooth keyboard.<\/p>\n

When the smartphone is plugged in, the malicious station emulates a USB keyboard and sends commands to turn on Bluetooth and connect to a Bluetooth device \u2014 the very same malicious computer, now impersonating a Bluetooth keyboard. After that, the system reconnects via USB, now posing as a computer. The smartphone asks the user whether to allow data transfer \u2014 and the malicious device confirms the request via a Bluetooth \u201ckeystroke\u201d.<\/p>\n

The second method<\/strong> only works on Android and doesn\u2019t require Bluetooth. The malicious charger pretends to be a USB keyboard and floods the smartphone with keystrokes \u2014 overwhelming the input buffer. While the OS is busy processing this meaningless input, the charger disconnects and reconnects \u2014 this time as a computer. A prompt appears on screen asking which mode to connect in, and right at that moment the tail end of the keyboard input buffer plays out, containing a keystroke sequence that confirms connection in data-transfer mode (MTP, PTP, or even ADB<\/a> debug mode).<\/p>\n

The third method<\/strong> \u2014 also Android-only \u2014 exploits the fact that all tested smartphones incorrectly implement the Android Open Access Protocol (AOAP). The malicious device connects as a computer right away, and when the confirmation screen appears, it sends the necessary keystroke events through AOAP. According to the protocol, simultaneous operation in both USB-host and AOAP modes is prohibited \u2014 but in practice, this restriction is often ignored.<\/p>\n

Which devices are protected from USB ChoiceJacking?<\/h2>\n

Both Apple and Google blocked these attack methods in iOS\/iPadOS 18.4, and Android 15, respectively. Now, in order to confirm USB data transfer, it\u2019s not enough to simply press Yes<\/em> \u2014 you need to pass biometric authentication or enter a password. Unfortunately, on Android, the OS version alone doesn\u2019t guarantee your smartphone\u2019s safety. For example, Samsung devices running the One UI 7 shell don\u2019t request authentication \u2014 even after updating to Android 15.<\/p>\n

That\u2019s why Android users who have updated to Android 15 are advised to connect their smartphone to a known safe computer via a cable and check whether a password or biometric confirmation is required. If not \u2014 avoid public charging stations.<\/p>\n

How serious is this, and how to protect yourself?<\/h2>\n

While law enforcement agencies have occasionally warned about USB data-theft attacks (1<\/a>, 2<\/a>), no real-world attacks have ever been publicly documented. This doesn\u2019t mean they\u2019ve never occurred, but it clearly isn\u2019t a widespread threat.<\/p>\n

If you\u2019re concerned about such attacks, you should only charge you devices using your own trusted charger or power bank, or use a USB data blocker<\/a> \u2014 an adapter that allows only power to flow through the cable while preventing data transmission. These adapters, also called \u201cUSB Condoms\u201d, are quite effective, but can slow down charging on newer smartphones since they also block the data signals required for Quick Charge<\/a> mode. Alternatively, you could use a cheap charge-only USB cable (which can\u2019t transmit data), but you should test it first with a trusted computer to ensure no data-transfer prompt appears on the screen; then you\u2019ll need to carry it around with you everywhere \u2014 and keep in mind that it also rules out Quick Charge.<\/p>\n

The most crucial and widely available protection is updating to the latest versions of Android or iOS.<\/p>\n

If you ever find yourself in a bind \u2014 with an outdated OS, no blocker, and an urgent need to use the nearest USB charger \u2014 just remain vigilant while charging. When you connect the phone, watch the screen: if it doesn\u2019t just start charging but prompts you to choose the connection type, select Charging only<\/em>. If you\u2019re really worried about your data, it\u2019s better to unplug and look for a less \u201csmart\u201d port.<\/p>\n

For more on other unusual smartphone hacks \u2014 check these out:<\/p>\n