ChoiceJacking: USB Trust Model Failures on iOS and Android

Nearly a decade after Apple and Google first introduced defenses against “juice jacking,” researchers at Graz University of Technology have exposed fundamental flaws that let malicious chargers bypass these protections in seconds. Dubbed ChoiceJacking, the new family of attacks demonstrates that the USB trust models underlying iOS and Android remain alarmingly fragile, despite recent patches in iOS 18.4 and Android 15.

Background: The Evolution of Juice Jacking

In 2011, security journalist Brian Krebs coined the term juice jacking after a Defcon demo showed how public charging stations could surreptitiously install malware or exfiltrate data when unsuspecting users plugged in their phones. By 2012, both Apple and Google had patched their USB stacks to require an explicit on-screen confirmation before any data channel could open.

• USB Role Definitions: Under the USB 2.0/3.x specification, devices negotiate a host (controller) and a peripheral at attach time, ensuring phones could not simultaneously act as host and device.
• Confirmation Prompt: iOS and Android added a modal dialog—”Trust This Computer?”—that users must tap before the Data and Media Transfer Protocols (PTP/MTP) can mount storage.

Introducing ChoiceJacking

In a Usenix Security Symposium paper scheduled for August 2025, the Graz team describes three ChoiceJacking techniques that exploit loopholes in USB Power Delivery (USB PD), Android Open Accessory Protocol (AOAP), and Android’s input dispatcher. All three let a charger:

1. Trigger the system’s “Trust” prompt by acting as a USB host.
2. Autonomously inject input events—keystrokes or touch events—into the mobile OS.
3. Spoof user consent and open a data channel for file exfiltration.

Deep Dive: USB Power Delivery Role Swap Exploit

The most versatile ChoiceJacking variant leverages the USB PD specification (USB Type-C). By performing a negotiated Data Role Swap, a malicious charger can dynamically switch roles:

• Phase 1: Charger initially advertises as a USB keyboard (peripheral) to the phone.
• Phase 2: Using USB PD messages at 5 V@2 A up to 20 V@5 A, the charger requests a Data Role Swap, becoming the host.
• Phase 3: As host, it triggers the “Trust” prompt, then reverts to peripheral to inject Bluetooth pairing commands.
• Phase 4: A hidden microcontroller inside the charger spoofing a Bluetooth HID device approves the dialog.
• Phase 5: The charger finalizes the swap back to host, gaining MTP/PTP access for file read/write.

This chain takes under 30 seconds on most devices and works on all tested models except one Vivo phone lacking full USB PD support.

Android-Specific Variants

Besides the PD-based attack, two Android‐only variants exploit:

• AOAP Misimplementation: Many OEMs accept Android Open Accessory Protocol messages even when not in accessory mode, letting a charger enroll as an input device and confirm prompts.
• Input Dispatcher Race: By flooding the key event queue, the charger keeps the OS busy, then switches roles mid-dispatch—automatically accepting the data connection prompt before the user can react.

Additional Analysis: Impact on Enterprise Mobile Security

Organizations adopting Mobile Device Management (MDM) often whitelist USB peripherals, assuming built-in OS protections suffice. ChoiceJacking invalidates this assumption:

• MDM Detection Gaps: Encrypted PD negotiations and accessory mode transitions occur below the mobile OS’s interception layer.
• Policy Bypass: Even devices with USB debugging disabled can have data channels opened without user intervention.
• Forensic Challenges: Exfiltration occurs over standard MTP/PTP channels, blending in with legitimate sync traffic.

Standards and Future Directions

The ChoiceJacking research underscores the need for revisiting USB trust models under bodies like USB-IF and the USB Promoter Group:

• Hardware-Level Confirmation: Proposals include embedding user-presence tokens in USB C connectors, requiring a capacitive touch on the cable end.
• PD Authentication Extensions: Introducing an asymmetric‐key handshake in USB PD 3.1 to cryptographically bind chargers to trusted identities.
• OS Architectural Changes: Isolating USB event handling in a minimal TCB (Trusted Computing Base) that cannot be influenced by accessory peripherals.

Mitigations and Best Practices

• Update to iOS 18.4+ or Android 15+ where possible; verify the presence of authentication prompts requiring PIN/Biometric confirmation.
• Avoid public charging stations; carry a power‐only USB C cable or portable battery pack supporting only VBUS lines.
• Enterprises should enforce policies that disable USB data roles entirely when charging, leveraging MDM to enforce chargingOnly mode.
• For developers: keep USB debugging off in production and review Android’s input-dispatcher source for custom handlers.

Conclusion

ChoiceJacking shows that even mature defenses can be undermined if their foundational assumptions go unexamined. As USB standards evolve, both OS vendors and hardware manufacturers must adopt multi-layered authentication methods—cryptographic, hardware, and user prompt—to safeguard billions of mobile devices worldwide.