Artifacts for ChoiceJacking: Compromising Mobile Devices through Malicious Chargers like a Decade ago

JuiceJacking is an attack in which malicious charging stations compromise connected mobile devices. Shortly after the attack was discovered about a decade ago, mobile OSs introduced user prompts for confirming data connections from a USB host to a mobile device. Since the introduction of this countermeasure, no new USB-based attacks with comparable impact have been found.

In this paper, we present a novel family of USB-based attacks on mobile devices, ChoiceJacking, which is the first to bypass existing JuiceJacking mitigations. We observe that these mitigations assume that an attacker cannot inject input events while establishing a data connection. However, we show that this assumption does not hold in practice. We present a platform-agnostic attack principle and three concrete attack techniques for Android and iOS that allow a malicious charger to autonomously spoof user input to enable its own data connection. Our evaluation using a custom cheap malicious charger design reveals an alarming state of USB security on mobile platforms. Despite vendor customizations in USB stacks, ChoiceJacking attacks gain access to sensitive user files (pictures, documents, app data) on all tested devices from 8 vendors including the top 6 by market share. For two vendors, our attacks allow file extraction from locked devices. For stealthily performing attacks that require an unlocked device, we use a power line side-channel to detect suitable moments, i.e., when the user does not notice visual artifacts.

Our artifact package contains the proof-of-concept ChoiceJacking implementation, as well as evaluation records for different mobile devices. It provides the design files and firmware for our malicious charger PCB, the Python code for interacting with it from a Raspberry Pi, the experimental power line side-channel, as well as the attack code for different devices and attack techniques. We also include the video recordings of the attacks on 11 different devices that we used for measuring timings.

Please note that our artifacts have specific hardware requirements. Most notably, they require specific mobile devices and a Raspberry Pi 4/5. Additionally, for some attacks, our custom malicious charger prototype PCB is needed.