If you ever used a public charger to top off your iPhone or Android phone at places like an airport or the mall, you definitely want to think twice before doing so again as researchers have devised a new attack method that allows malicious chargers to steal data from vulnerable phones.
As reported by Ars Technica, Apple and Google have been working for over a decade to make their devices less prone to juice jacking attacks where real-world hackers infect charging phones with malware.
Now, though, researchers at the Graz University of Technology in Austria have discovered that these previous mitigations against juice jacking can be bypassed and that sensitive user data like pictures and documents can be stolen from vulnerable iOS and Android devices.
Fortunately, Apple and Google have both released updates to protect users from ChoiceJacking attacks, though many of the best Android phones are still vulnerable.
Here’s everything you need to know about this new ChoiceJacking attack along with some tips and tricks to keep your phone safe from hackers, both online and in the real world.
What are ChoiceJacking attacks?
After Graz University’s researchers published their findings, Apple released iOS 18.4 which requires user authentication in the form of a PIN or password to interact with a locked iPhone when it’s plugged into a USB charger.
Meanwhile, with the release of Android 15 last November, Google updated its mobile operating system to keep Pixel devices and other Android phones safe from ChoiceJacking attacks.
In a paper detailing their findings, the researchers outlined three different ChoiceJacking techniques which were able to bypass Android’s original mitigations against juice-jacking and one of them was also able to get around Apple’s defenses, too.
The malicious charger gains access to two channels on a vulnerable phone. One allows it to input content while pretending to be the device’s owner while the other allows the malicious charger to steal files and extract other sensitive data.
In these ChoiceJacking attacks, a malicious charger acts as a USB host to trigger a confirmation prompt on a targeted phone. From here, the attacks exploit weaknesses in iOS and Android that allow a charger to autonomously inject “input events” that can enter text or click buttons shown in these on-screen prompts, mimicking a real user doing so.
Once a ChoiceJacking attack is complete, the malicious charger gains access to two channels on a vulnerable phone. One allows it to input content while pretending to be the device’s owner while the other allows the malicious charger to steal files and extract other sensitive data from a connected phone.
In one variation of these ChoiceJacking attacks that was able to get around both Apple and Google’s defenses, the charger acts as a USB keyboard or other peripheral. This allows it to send inputs over USB and establish a Bluetooth connection to a second smaller keyboard hidden inside the malicious charger. By using this Bluetooth keyboard, the charger can then confirm its own data connection to a vulnerable phone.
Even though Apple, Google and other Android manufacturers were informed about these ChoiceJacking attacks, outdated Android phones that aren’t running the latest software and even the best Samsung phones running One UI 7 are still vulnerable.
The reason these Samsung devices can be hit with a ClickJacking attack is that even those phones running Android 15 don’t implement Google’s new authentication requirement.
How to keep your phone safe from hackers
In order to protect your iPhone or Android phone from ClickJacking, the first and most important thing you should do is to avoid using public phone chargers altogether. Instead, make sure you bring a charger or one of the best power banks with you when out and about. This way, you won’t have to worry about malicious chargers or even malicious USB cables.
From there, you want to ensure your phone is running the latest software. iPhones all get updated at the same time but the same thing can’t be said for Android devices. Some Android phone makers take significantly longer to roll out new updates to their customers while others don’t provide them at all.
If you’re worried about security and want all the latest Android patches and fixes as soon as they become available, then you might want to consider one of Google’s own Pixel phones. Even if you don’t switch to Pixel, you want to carefully look into how often a phone maker releases updates when buying your next Android phone.
The best Android antivirus apps can help keep your phone safe from juice jacking attacks spreading malware while the best Mac antivirus software from Intego lets you get around Apple’s own restrictions and scan your iPhone or iPad for viruses when it’s connected to your Mac via a USB cable.
Given how easy it is for hackers to trick unsuspecting users into plugging their phones into public chargers, don’t expect juice jacking or ClickJacking attacks to go away anytime soon. However, if you use your own charger and cables, you won’t have to worry about falling victim to these sorts of attacks.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
