INSUBCONTINENT EXCLUSIVE:
All three of the ChoiceJacking techniques defeat the original Android juice-jacking mitigations
One of them also works against those defenses in Apple devices
In all three, the charger acts as a USB host to trigger the confirmation prompt on the targeted phone.The attacks then exploit various
prompts as if the user had done so directly into the phone
In all three, the charger eventually gains two conceptual channels to the phone: (1) an input one allowing it to spoof user consent and (2)
a file access connection that can steal files.
An illustration of ChoiceJacking attacks
(1) The victim device is attached to the malicious charger
(2) The charger establishes an extra input channel
(3) The charger initiates a data connection
User consent is needed to confirm it
(4) The charger uses the input channel to spoof user consent.
Credit:
Draschbacher et al.
In the ChoiceJacking variant that defeats both Apple- and Google-devised juice-jacking mitigations, the charger starts as a
USB keyboard or a similar peripheral device
It sends keyboard input over USB that invokes simple key presses, such as arrow up or down, but also more complex key combinations that
trigger settings or open a status bar.The input establishes a Bluetooth connection to a second miniaturized keyboard hidden inside the
provide or receive power to or from the other device, depending on messages they exchange, a process known as the USB PD Data Role Swap.
A simulated ChoiceJacking charger
Bidirectional USB lines allow for data role swaps.
Credit:
Draschbacher et al.
With the charger now acting as a host, it triggers the file access consent dialog
At the same time, the charger still maintains its role as a peripheral device that acts as a Bluetooth keyboard that approves the file
access consent dialog.The full steps for the attack, provided in the Usenix paper, are:1
The victim device is connected to the malicious charger
The device has its screen unlocked.2
At a suitable moment, the charger performs a USB PD Data Role (DR) Swap
The mobile device now acts as a USB host, the charger acts as a USB input device.3
The charger generates input to ensure that BT is enabled.4
The charger navigates to the BT pairing screen in the system settings to make the mobile device discoverable.5
The charger starts advertising as a BT input device.6
By constantly scanning for newly discoverable Bluetooth devices, the charger identifies the BT device address of the mobile device and
Through the USB input device, the charger accepts the Yes/No pairing dialog appearing on the mobile device
The Bluetooth input device is now connected.8
The charger sends another USB PD DR Swap
It is now the USB host, and the mobile device is the USB device.9
As the USB host, the charger initiates a data connection.10
Through the Bluetooth input device, the charger confirms its own data connection on the mobile device.This technique works against all but
The attacks against the 10 remaining models take about 25 to 30 seconds to establish the Bluetooth pairing, depending on the phone model
The attacker then has read and write access to files stored on the device for as long as it remains connected to the charger.
