All three of the ChoiceJacking strategies defeat the unique Android juice-jacking mitigations. One in every of them additionally works in opposition to these defenses in Apple gadgets. In all three, the charger acts as a USB host to set off the affirmation immediate on the focused cellphone.
The assaults then exploit numerous weaknesses within the OS that permit the charger to autonomously inject “enter occasions” that may enter textual content or click on buttons offered in display prompts as if the consumer had executed so straight into the cellphone. In all three, the charger ultimately good points two conceptual channels to the cellphone: (1) an enter one permitting it to spoof consumer consent and (2) a file entry connection that may steal information.
An illustration of ChoiceJacking assaults. (1) The sufferer machine is hooked up to the malicious charger. (2) The charger establishes an additional enter channel. (3) The charger initiates an information connection. Consumer consent is required to substantiate it. (4) The charger makes use of the enter channel to spoof consumer consent.
Credit score:
Draschbacher et al.
It’s a keyboard, it’s a bunch, it’s each
Within the ChoiceJacking variant that defeats each Apple- and Google-devised juice-jacking mitigations, the charger begins as a USB keyboard or the same peripheral machine. It sends keyboard enter over USB that invokes easy key presses, comparable to arrow up or down, but in addition extra complicated key combos that set off settings or open a standing bar.
The enter establishes a Bluetooth connection to a second miniaturized keyboard hidden contained in the malicious charger. The charger then makes use of the USB Energy Supply, a typical obtainable in USB-C connectors that permits gadgets to both present or obtain energy to or from the opposite machine, relying on messages they trade, a course of referred to as the USB PD Knowledge Position Swap.
A simulated ChoiceJacking charger. Bidirectional USB traces permit for knowledge function swaps.
Credit score:
Draschbacher et al.
With the charger now performing as a bunch, it triggers the file entry consent dialog. On the similar time, the charger nonetheless maintains its function as a peripheral machine that acts as a Bluetooth keyboard that approves the file entry consent dialog.
The complete steps for the assault, offered within the Usenix paper, are:
1. The sufferer machine is related to the malicious charger. The machine has its display unlocked.
2. At an acceptable second, the charger performs a USB PD Knowledge Position (DR) Swap. The cell machine now acts as a USB host, the charger acts as a USB enter machine.
3. The charger generates enter to make sure that BT is enabled.
4. The charger navigates to the BT pairing display within the system settings to make the cell machine discoverable.
5. The charger begins promoting as a BT enter machine.
6. By consistently scanning for newly discoverable Bluetooth gadgets, the charger identifies the BT machine handle of the cell machine and initiates pairing.
7. Via the USB enter machine, the charger accepts the Sure/No pairing dialog showing on the cell machine. The Bluetooth enter machine is now related.
8. The charger sends one other USB PD DR Swap. It’s now the USB host, and the cell machine is the USB machine.
9. Because the USB host, the charger initiates an information connection.
10. Via the Bluetooth enter machine, the charger confirms its personal knowledge connection on the cell machine.
This method works in opposition to all however one of many 11 cellphone fashions examined, with the holdout being an Android machine working the Vivo Funtouch OS, which doesn’t absolutely assist the USB PD protocol. The assaults in opposition to the ten remaining fashions take about 25 to 30 seconds to determine the Bluetooth pairing, relying on the cellphone mannequin being hacked. The attacker then has learn and write entry to information saved on the machine for so long as it stays related to the charger.
