Almost exactly 15 years ago, following the 20211 Black Hat conference, veteran cybersecurity investigator Brian Krebs introduced the world to the term juicejacking.
Juicejacking quickly became a well-known word because it provoked widespread cybersecurity fear – it referred to the potential security risk of innocently plugging any mobile device, notably a phone, into a public charging socket.
You might think the fear was that a public socket might, either accidentally or maliciously, deliver enough voltage to blow up attached devices, given that USB charging back in 2011 was strictly limited to just 5V DC.
In practice, however, public USB chargers generally work reliably from a power delivery point of view, and their perceived cybersecurity danger didn’t come from voltage spikes that might permanently destroy your device.
The risk was that the wall socket (or the charger unit, if you were borrowing one from a person you didn’t know) might have a tiny circuit board hidden inside, meaning that you would unknowingly be hooking up to someone else’s computer, not merely to a charger.
What if that rogue computer decided to manipulate your phone in order to extract, change, or add data without you ever knowing?
Fifteen years ago, many if not most popular devices, from cameras to mobile phones, were configured to show up by default when connected to a computer, either as generic storage devices or via special protocols known as PTP and MTP.
USB storage devices typically mount automatically on the so-called host computer (in this case, the fake charger), appearing as a drive letter such as E:\ on Windows, or as /Volumes/SOMENAME on a Mac.
At this point the host computer can make a full copy of the entire storage storage device at file level or even at sector level, theoretically extracting everything from it.
PTP and MTP, short for picture and media transfer protocol respectively, are slightly more restrictive, allowing file-by-file transfer only, but that’s still enough for a rogue host computer to steal your photos and videos via PTP, or all your saved files via MTP.
That sort of “host computer disguised as a charger” treachery is what Brian Krebs meant by juicejacking.
Seeking out an untrusted source of juice (a slang term for “electrical power”) could lead to the data getting jacked (slang shorthand for the word “hijacked”).
To this day, some devices still advertise themselves automatically when plugged into a host computer, such as my own GARMIN bike computer, which dates from the late 2010s.
That means they’re still vulnerable to juicejacking, which could leech personal data from them, secretly upload rogue data or apps to them, and possibly even implant rogue firmware updates that get silently installed when you next reboot the device.
But mobile phone vendors reacted fairly quickly to the threat of juicejacking, introducing an effective solution that blocked data requests from the other end of the USB cable until you unlocked the device and tapped an on-screen dialog to grant access.
Although some cybersecurity advisors have been warning for many years about the ongoing danger of mobile phone juicejacking, because those stories make good clickbait, the risks were generally regarded as well-contained by the mid-2010s.
Indeed, more and more public USB chargers have appeared in recent years – many of the local buses in the city where I live are liberally fitted with charging ports, for example – and users routinely plug into these without any horror stories emerging.
Juicejacking, it seems, was over almost as soon as it began.
Well, juicejacking is back, albeit in a different form and with a different name, thanks to a paper scheduled for presentation later this week at the 2025 USENIX Security Symposium.
The paper is intriguingly entitled ChoiceJacking: Compromising mobile devices through malicious chargers like a decade ago, and it reworks the original juicejacking concept by adding more functionality, and different sorts of treachery, into the attack.
The trick here is that the rogue computer at the other end of the charging cable can variously identify itself to your mobile phone as a USB host (that’s how your laptop would appear), which is usually the controlling end of the cable, or as a USB device or peripheral, which is usually something like a keyboard or a USB drive that your mobile phone takes control of.
Choicejacking works by first presenting the rogue charger as a USB keyboard peripheral and then switching it over to be a USB host, or presenting it as a USB keyboard peripheral and a separate Bluetooth keyboard at the same time.
For connections via USB-C ports, where each end of the cable has the same sort of plug on it, the peripheral end is officially called the Upstream Facing Port (confusingly written by the authors of the ChoiceJacking paper as “upward facing port,” though its physical orientation is clearly irrelevant and on many devices faces sideways) and the host end is the Downstream Facing Port (written as “downward facing” in the paper). We’ll stick to host for the controlling end, for example a laptop computer, and peripheral for the device at the other end that gets controlled, such as a keyboard, headset or USB drive.
Very greatly simplified, the researchers found several ways to trick mobile phones into opening up access to a rogue charger, by first behaving as a USB keyboard (in USB parlance, a HID, or human interface device), a peripheral type that both Android and iOS typically activate automatically, without needing user approval.
In the paper, the fake charger pretending to be a USB keyboard was a Raspberry Pi-based system entirely under the researchers’ control, so they could programmatically inject any type-and-tap sequence of input events at this point, thereby remotely controlling the poisoned phone to trigger three different sorts of attack:
[A] or pressing [Space]. The attackers then switched their end of the USB cable from peripheral mode into host mode and requested MTP/PTP access. By the time the MTP/PTP dialogs popped up asking for user authorization, the keyboard buffer already contained the keystrokes need to approve it, even though the fake keyboard was no longer active because it had been shut down in the switch to host mode. (Android only.)The last item above is the most general-purpose attack, given that the attackers got it to work on numerous Android devices as well as an iPad, and because it doesn’t rely on any bugs or performance problems in Android’s keystroke handling protocols.
However, it does lead to a flurry of unwanted on-screen activity as the fake keyboards navigate and manipulate various Settings options on the device, so it’s possible a victim might notice an attack unfolding if they were looking at the screen at the time.
Intriguingly, the attackers devised a trick that could potentially sidestep this problem by adding monitoring code to their bogus charger that kept track of fluctuations in the power consumption of the actual charging circuitry.
They aimed to detect the higher current consumption when the phone was making or receiving a call and to attack at that moment, assuming you would be more likely to be holding the phone to your head than to be looking at the screen.
The good news here is that these attacks almost all require your phone to be unlocked, because they rely on the phone being able to pop up dialog boxes and to accept input to navigate through its various Settings dialogs.
(On some Android phones, the researchers discovered exploitable bugs that allowed them to pull of exploit 1 even when the phone was locked, but only Oppo and Honor devices running the three-versions old Android release 13 were vulnerable.)
In other words, if you decide to charge your phone via an unknown charger or with a cable you’ve borrowed from someone else, leaving it locked whenever it’s plugged in neutralizes this attack.
If you need to make or answer a call, or to check your email or social media, simply unplug it the phone from the charger before using it, and then lock it again before plugging it back in.
In our own experiments, both an iPhone running iOS 18 and a Google Pixel 4a running LineageOS 22.2 (Android 15) appeared to be invulnerable to this attack. Both devices not only required an on-screen tap to active USB access, which a choicejacker with keyboard access could inject, but also demanded that we enter our lock code, which a choicejacker wouldn’t know.
For what it’s worth, locking your phone explicitly whenever you aren’t using it, and avoiding unlocking it at all while you’re walking in public, is a great habit to get into anyway, given the rise in what we call Balaclava Bandit robberies, where criminals on motorcycles or silent electric bicycles swoop on victims in the street and snatch their phones while they’re unlocked.
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of USB-C cable by Maxence Pira via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
