In a troubling development for smartphone users, cybersecurity researchers from Graz University of Technology have identified a new method of attack known as Choicejacking. This technique exploits smartphones, allowing unauthorized access to devices when connected to compromised charging stations, often without the user even realizing any action has been taken.
Choicejacking is a modern evolution from the previously known juice jacking attacks, which had gained notoriety over a decade ago for stealing data and injecting malware through infected charging ports. To combat these threats, smartphone operating systems implemented prompts requiring user approval for data transfer when devices are plugged into unknown ports. However, researchers have successfully devised a method to circumvent these security measures.
The method works by spoofing USB or Bluetooth input devices, effectively faking user actions to fool phones into granting data access. The entire process is alarmingly fast – taking less than 133 milliseconds – enabling attackers to gain control of devices before the user can react. According to Adrianus Warmenhoven, a cybersecurity advisor at NordVPN, the deception offered by this attack poses severe risks, as it manipulates devices into decisions users never intended.
Even more concerning, once access is granted, attackers can secretly browse photos, read messages, and install malicious software. This highlights the ongoing dangers associated with public USB ports, as compromised charging stations can be found in airports, hotels, and cafes. Warmenhoven warns against trusting such public charging stations, recommending that users keep their devices updated, avoid unknown ports, and utilize portable power banks whenever possible.
The findings regarding Choicejacking are set to be presented at the 34th USENIX Security Symposium in August 2025, underscoring the importance of awareness and precautionary measures among smartphone users.