Avoid public USB charging stations because they could hack your phone
For some years now, smartphones have had a built-in feature that protects against unauthorized access via USB. In iOS and Android, you get pop-ups that ask for confirmation when a data USB connection is established before you can actually start transferring data.
However, this guard against “juice jacking”—a hacking method in which charging stations are manipulated to inject malicious code, steal information, or allow access to the device when plugged in—is apparently not as secure as expected.
Cybersecurity researchers have discovered a serious loophole in this system that can be easily exploited.
A new way to hack smartphones via USB
As Ars Technica reports, attackers can use a new method called “choice jacking” to ensure that access to smartphones is easily authorized without the user being aware of it.
To do this, attackers first install a feature on a charging station so that it actually appears as a USB keyboard when connected. Then, via USB Power Delivery, it executes a “USB PD Data Role Swap” to establish a Bluetooth connection, trigger the file transfer consent pop-up, and approve consent while acting as a Bluetooth keyboard.
The charging station can therefore be used to bypass the protection mechanism on the device, which is actually intended to protect against hack attacks with USB peripherals. In the worst case scenario, hackers could gain access to all files and personal data stored on your smartphone in order to take over accounts.
The researchers at Graz University of Technology tested this method on devices from various manufacturers, including Samsung, who sells the most smartphones alongside Apple. All tested devices allowed data transfer as long as the screen was unlocked.
No real solution available for most devices
Although smartphone manufacturers are aware of the problem, there still isn’t sufficient protection against choice jacking. Only Apple and Google have implemented a solution, which involves users first entering their PIN or password before they can add a device as a trusted source and start the data transfer. However, other manufacturers have not implemented sufficient protection against such attacks yet.
If your device has USB debugging enabled, it’s especially at risk because USB debugging can allow attackers to gain access to the system via the Android Debug Bridge and install their own applications, execute files, and generally use a higher access mode.
How to protect yourself
The easiest way to protect yourself from choice jacking attacks via USB charging stations is, of course, to never use a public charging station or any charging station that isn’t your own. USB charging stations in high-traffic areas—like airports—are especially dangerous.
It’s better to use your own power bank when traveling and make sure that your smartphone is always up-to-date with the latest security updates.
Further reading: Your USB cable could be hiding hacker hardware 
© 2025 PC World 3:25am  
|
|
|
|
|
