Data theft during smartphone charging

[harlan4096]

Can your photos be viewed, stolen, or deleted when your smartphone is plugged into a public charging station? As it turns out — yes!
 
Can your photos and other data be downloaded or erased from your smartphone while it’s charging from a public charging port — on public transport, in a clinic, at the airport, and so on? Despite manufacturers’ safety measures, it’s sometimes possible.

Hackers first came up with such attacks way back in 2011: if an innocent-looking USB charging port doesn’t just supply electricity but contains a hidden computer, it can connect to your smartphone in data-transfer mode using the Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) and extract data from the device.

This attack became known as juice-jacking, and both Google and Apple quickly came up with a safeguard: when a smartphone is connected to a device supporting MTP/PTP, it asks the user whether to allow data transfer or just charge. For many years, this simple precaution seemed to solve the problem… until 2025 — when researchers from Graz University of Technology in Styria, Austria, discovered a way to bypass it.

ChoiceJacking attack

In the new attacks — dubbed ChoiceJacking attacks — a malicious device disguised as a charging station confirms on its own that the victim supposedly wants to connect in data-transfer mode. Depending on the manufacturer and OS version, there are three variants of the attack. Each variant finds a different way to bypass a certain limitation in the USB protocol: a device cannot operate in both host mode (as a computer) and peripheral mode (e.g., as a mouse or keyboard) at the same time.

The first method is the most complex but works on both iOS and Android. A microcomputer is disguised as a charging station. This microcomputer can connect to a smartphone as a USB keyboard, USB host (computer), and Bluetooth keyboard.

When the smartphone is plugged in, the malicious station emulates a USB keyboard and sends commands to turn on Bluetooth and connect to a Bluetooth device — the very same malicious computer, now impersonating a Bluetooth keyboard. After that, the system reconnects via USB, now posing as a computer. The smartphone asks the user whether to allow data transfer — and the malicious device confirms the request via a Bluetooth “keystroke”.

The second method only works on Android and doesn’t require Bluetooth. The malicious charger pretends to be a USB keyboard and floods the smartphone with keystrokes — overwhelming the input buffer. While the OS is busy processing this meaningless input, the charger disconnects and reconnects — this time as a computer. A prompt appears on screen asking which mode to connect in, and right at that moment the tail end of the keyboard input buffer plays out, containing a keystroke sequence that confirms connection in data-transfer mode (MTP, PTP, or even ADB debug mode).

Continue Reading...