iOS and Android juice jacking defenses have been trivial to bypass for years

horde

https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/

In paper: https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf

On the Google Pixel 7a, CHOICEJACKING attacks can extract files or gain code execution in 1.3 s.

de0u

horde This is a solid piece of security work -- well researched, responsibly disclosed, well communicated.

Here are some observations.

The researchers reported their findings to Android vendors in June and July of 2024. GrapheneOS release 2024022600 provided cautious high-threat users with a powerful mitigation four months earlier: setting the USB-C port to either the "Charging-only" or "Off".
The GrapheneOS team repeatedly warns users that USB debugging exposes additional attack surface. In the case of the attacks in this paper, without USB debugging an attacker can extract "media" files and also create new ones, which is bad, but with USB debugging enabled an attacker can install malware on the device.
The paper claims that Google's stock OS is "a largely unmodified AOSP build", which seems somewhat inaccurate to me. Google's OS may be closer to AOSP than other vendor Android variants, but personally I don't think "largely unmodified" is a very accurate description. That said, the mischaracterization doesn't appear to undermine the results of this research.
As pointed out in the original post (horde), the paper reports "On the Google Pixel 7a, CHOICEJACKING attacks can extract files or gain code execution in 1.3 s". Unfortunately, as sometimes happens, there is a false equation of Google Pixel devices with Google's stock OS for Pixels. In this case, a Pixel 7a running GrapheneOS was already, at the time of the research, configurable to be immune to these attacks.

Congratulations to the Graz University team ... and also to the GrapheneOS team!

vlad

using random cheapo public charger seems to be not very good idea anyways, since it theoretically could fry the device if it malfunctions,
but the described vector should be covered by "charge only" usb option, shouldn't it?

DeletedUser203

There's a well known German company that has been selling USB data blockers/ usb a-c adapters for years so you could charge at public USB power points. This is the second variation I have the previous one.
https://shop.nitrokey.com/shop/data-blocker-usb-c-c-568?page=2
Isn't this old news, well written I agree, but I am a working man not a computer scientist, I have known about USB vulnerability years ago, hence having a data blocker for my phone in the event I really need to charge at a public charge point

teezeh

Qi to the rescue.

LeslieFH

Which is why I have charge-only cables with no data transfer capabilities. You can't juice-jack if there are no data wires.

ryrona

If one connect a keyboard and mouse to the phone, those are usable right away, without approval of the user, as long as USB data is enabled and phone unlocked. Any USB device, including a public charger, can pretend being a keyboard and mouse, and thus can do anything on your unlocked phone you can do yourself, including installing or replacing apps with malicious versions from the web, screenshoting, and copying out all your files and data.

From only reading the abstract of the paper above, it seems they are exploiting this, and used it to enable the data transfer, which is always disabled by default. A recent update made you need to scan your fingerprint to enable data transfer, but this won't prevent them from copying out all your files, or installing malicious apps. They can just upload them to a website instead, or download the APKs from a website instead.

Charging cables without data links are the only safe way, or the "Charging only" mode, but that latter may be easy to forget to enable.

Upstate1618

Is gos affected?

ryrona

Upstate1618 Is gos affected?

In default settings, yes. At least if we talk about this kind of attack in a broader sense than the specific one talked about in the paper.

If you switch to "Charging only" USB mode, no. GrapheneOS has a mitigation, but it is one you have to enable. And remember to enable again if you disable it.

graphuser

ryrona is it not the default that if the screen is locked then it's power only?

I tried data blockers but it's a bit hit or miss in my experience and they don't all work/work everywhere. If I'm going to travel for long, I'm taking a battery pack to charge up at planes, etc. and use the pack to charge my phone back.

whiskeywalrus

The biggest issue here with the "charging only" option is if you use usb to 3.5mm adapter it's a real pain to always have to change the setting. Ideally it would ask via notification or popup for approval to connect data to the usb cable/device and then default back to charging only once disconnected.

ryrona

graphuser is it not the default that if the screen is locked then it's power only?

Yes, the data link is disabled until you unlock the phone, in default setting. However, since we are talking about public chargers compromising the device, it is highly likely most people would use their phone, and thus have it unlocked, while it is charging. And in that case it is vulnerable, unless you switch the USB security setting to Charging Only mode.

graphuser If I'm going to travel for long, I'm taking a battery pack to charge up at planes, etc. and use the pack to charge my phone back.

This is a good solution.