Data Theft While Charging Your Smartphone via Public USB Ports

Is it possible for your smartphone’s data to be stolen or even deleted when charging through a public USB port — such as in airports, public transportation, clinics, and similar places? Despite the security measures implemented by device manufacturers, the answer is yes.

What is Juice Jacking?

First introduced by hackers in 2011, Juice Jacking is a type of cyberattack where a seemingly harmless USB charging port hides a malicious computer that connects to your phone in data transfer mode (via MTP or PTP protocols) and extracts data.

To counter this threat, both Google and Apple introduced a feature that prompts the user to confirm whether they want to allow data transfer or just charge the device when a USB connection is established. This solution remained effective — until 2025, when researchers at Graz University of Technology in Austria discovered a new attack method: ChoiceJacking.

 

What is ChoiceJacking?

In ChoiceJacking attacks, a malicious device disguised as a regular charging station automatically approves data transfer without user consent. Depending on the phone model and OS version, this attack can occur in three ways:

1. USB + Bluetooth Hybrid (for iOS & Android)

The malicious charger acts as a USB keyboard, a USB host (like a computer), and a Bluetooth keyboard. It first functions as a USB keyboard, activates Bluetooth on the victim’s phone, and connects to a hidden malicious Bluetooth device. Then, it re-establishes the connection as a computer and uses the Bluetooth keyboard to approve the data transfer prompt.

2. Keyboard Input Flooding (Android Only)

Here, the device identifies as a USB keyboard and floods the phone with keystroke inputs. While the OS is processing these inputs, the charger disconnects and reconnects as a computer. When the data access request appears, the buffered inputs from earlier simulate the user’s approval.

3. Exploiting the AOAP Protocol (Android Only)

This method exploits a flaw in how some Android devices implement the Android Open Accessory Protocol (AOAP). The malicious charger introduces itself as a computer and sends simulated approval signals through AOAP — bypassing the data transfer confirmation. Technically, using USB host mode and AOAP simultaneously should be prohibited, but many Android phones ignore this limitation.

 

Which Devices Are Safe from ChoiceJacking?

Both Google and Apple have patched these vulnerabilities in iOS/iPadOS 18.4 and Android 15. Now, approving a USB data transfer requires biometric authentication or a password. However, just having Android 15 isn’t enough. For instance, Samsung phones with One UI 7 still allow data access without requiring authentication, even after updating.

Tip: Connect your phone to a trusted computer and check whether the system asks for fingerprint or password confirmation when a USB connection is made. If not, avoid public USB charging stations.

How to Protect Yourself from USB Data Theft

Although no widespread real-world attacks have been publicly reported, the risk remains — and negligence could be costly. To stay safe:

• Use a charge-only USB cable that doesn’t support data transfer.
• Consider using a USB data blocker adapter that allows only power through the cable.
• Rely only on your personal charger or power bank.
• Always keep your operating system updated to the latest version.

If you must use a public charger:

• Carefully watch your phone’s screen upon connection.
• Always select “Charge only” if prompted.
• Avoid allowing any connection that enables data transfer

Source: MedadPress
www.medadpress.ir