Photo credit: arstechnica.com
Recent studies have unveiled a concerning security vulnerability known as ChoiceJacking, which undermines the protective measures put in place to combat juice-jacking on both Android and Apple devices. By exploiting the function of a charger as a USB host, attackers can trigger confirmation prompts on targeted smartphones.
These attacks exploit gaps in the operating systems that grant the charger the ability to autonomously simulate user input. This input can mimic text entries or button presses, effectively allowing the charger to bypass user consent for accessing files on the devices. In essence, the charger establishes two main pathways to the phone: firstly, an input channel that can spoof user approval, and secondly, a file access channel that can facilitate the theft of data.
An illustration depicting the ChoiceJacking process includes the following steps: (1) The targeted device is connected to the malicious charger. (2) The charger establishes an additional input channel. (3) The charger then initiates a data connection that necessitates user consent for confirmation. (4) Finally, the charger uses the input channel to simulate this consent.
Dual Functionality of Chargers
One variant of ChoiceJacking uniquely bypasses both Apple and Google’s preventative measures. This method involves the charger initially functioning as a USB keyboard or similar peripheral. It transmits keyboard commands that effectuate simple functions like scrolling, along with more intricate key combinations that can manipulate device settings or bring up system menus.
The charger subsequently establishes a Bluetooth connection through an internal miniaturized keyboard concealed within the device. Utilizing USB Power Delivery, a feature of USB-C that enables devices to alternate roles when exchanging messages, the charger conducts what is termed a USB PD Data Role Swap.
Once the charger takes on the role of host, it triggers the consent dialog for file access. Meanwhile, it continues to operate as a Bluetooth keyboard, which allows it to automatically approve this dialog on the mobile device.
The detailed procedural steps of the attack, as outlined in a recent Usenix paper, are as follows:
1. The targeted device is connected to the compromised charger, with its screen unlocked.
2. At a strategic moment, the charger executes a USB PD Data Role Swap, transforming the mobile device into a USB host and itself into an input device.
3. It generates commands to ensure Bluetooth is activated.
4. The charger then navigates to the Bluetooth pairing interface in system settings to enable discoverability.
5. It advertises itself as a Bluetooth input device.
6. By continually searching for new Bluetooth devices, the charger detects its target’s device address and initiates pairing.
7. Utilizing its capabilities as an input device, the charger confirms the Yes/No pairing prompt on the mobile device.
8. A subsequent USB PD Data Role Swap occurs, reversing roles: the charger becomes the USB host again, and the phone reverts to being the USB device.
9. From its host position, the charger initiates a data connection.
10. Finally, through its Bluetooth input capabilities, the charger confirms the data connection on the mobile device.
This attack method has proven effective against ten out of eleven smartphone models tested, with only one exception: an Android device operating on Vivo Funtouch OS, which lacks full support for USB PD. In the cases where the method is successful, the attacker typically secures read and write access to the device’s files within 25 to 30 seconds, depending on the model, as long as the connection to the malicious charger remains active.
Source
arstechnica.com