Full Report
New ChoiceJacking attack allows malicious chargers to steal data from phones.
Analysis Summary
# Vulnerability: ChoiceJacking Bypasses Juice Jacking Defenses on iOS and Android
## CVE Details
- **CVE ID:** No specific CVE provided in the context.
- **CVSS Score:** Not explicitly provided. (Severity inferred as High due to circumvention of security milestones.)
- **CWE:** Relates to insecure handling of USB device roles/permissions, likely falling under CWE-287 (Improper Authentication) or CWE-264 (Permissions, Privileges, and Access Controls).
## Affected Systems
- **Products:** Apple iOS and Google Android operating systems. Devices relying on USB connection frameworks.
- **Versions:** Affected versions reportedly include those deployed *after* initial juice-jacking mitigations were implemented (circa 2012) up until the present research finding, suggesting a long-standing flaw. Specific version ranges are not detailed.
- **Configurations:** Any device relying on the standard USB protocol trust model where user confirmation is required before file access or code execution upon connection to a charging source.
## Vulnerability Description
Researchers at Graz University of Technology discovered a fundamental defect in the security defenses implemented by Apple (iOS) and Google (Android) against "juice jacking." These defenses, introduced around 2012, rely on the principle that a USB port can act as either a 'Host' or a 'Peripheral', but not both simultaneously.
The countermeasure required users to manually confirm access when connecting to a potentially malicious charger (which acts as a 'Host'). The exploit, dubbed **ChoiceJacking**, circumvents this security measure because the malicious USB Host is able to inject input that autonomously approves the confirmation prompt shown on the phone, exploiting loopholes in the established trust models of both operating systems.
## Exploitation
- **Status:** PoC available (Researchers demonstrated the bypass). Not detailed if exploited in the wild prior to disclosure.
- **Complexity:** Low (Implied: Bypassing the confirmation prompt autonomously suggests a robust and predictable attack vector once the underlying USB role limitations are understood).
- **Attack Vector:** Network (Requires physical access to a compromised charging station/cable, but the exploitation mechanism is triggered over USB).
## Impact
- **Confidentiality:** High (Allows secret data exfiltration).
- **Integrity:** High (Allows running malicious code on the device).
- **Availability:** Medium to High (Depending on the malicious code executed).
## Remediation
### Patches
- **Status:** No specific patch versions are mentioned in the provided text, as the article focuses on disclosing the flaw found by researchers. Vendor advisories would be required for specific patch numbers.
### Workarounds
- **Current Mitigation (Implied):** The best immediate workaround would involve using AC wall chargers only, or employing USB data blockers (USB condoms) to sever the data lines between the charging port and the public station/charger, allowing only power flow.
## Detection
- **Indicators of Compromise:** Unauthorized data access logs during charging sessions, unexpected device behavior immediately following connection to public USB ports.
- **Detection Methods and Tools:** Detection would likely focus on monitoring USB device enumeration events and unusual USB Host input activity immediately upon connection to a public charging source. Custom security software correlating physical connection events with system actions would be necessary.
## References
- KrebsOnSecurity article from 2011 detailing initial juice jacking concept: [krebsonsecurity.com/2011/08/beware-of-juice-jacking/]
- USB Specification documentation regarding host/peripheral roles: [usb.org/documents]
- Vendor security advisories from Apple and Google (to be consulted for specific patch fixes).