All three of the ChoiceJacking strategies defeat the unique Android juice-jacking mitigations. One among them additionally works towards these defenses in Apple gadgets. In all three, the charger acts as a USB host to set off the affirmation immediate on the focused telephone.
The assaults then exploit numerous weaknesses within the OS that enable the charger to autonomously inject “enter occasions” that may enter textual content or click on buttons offered in display prompts as if the person had executed so straight into the telephone. In all three, the charger ultimately positive factors two conceptual channels to the telephone: (1) an enter one permitting it to spoof person consent and (2) a file entry connection that may steal information.
An illustration of ChoiceJacking assaults. (1) The sufferer machine is connected to the malicious charger. (2) The charger establishes an additional enter channel. (3) The charger initiates an information connection. Person consent is required to substantiate it. (4) The charger makes use of the enter channel to spoof person consent.
Credit score:
Draschbacher et al.
It’s a keyboard, it’s a number, it’s each
Within the ChoiceJacking variant that defeats each Apple- and Google-devised juice-jacking mitigations, the charger begins as a USB keyboard or the same peripheral machine. It sends keyboard enter over USB that invokes easy key presses, resembling arrow up or down, but additionally extra advanced key mixtures that set off settings or open a standing bar.
The enter establishes a Bluetooth connection to a second miniaturized keyboard hidden contained in the malicious charger. The charger then makes use of the USB Energy Supply, a normal obtainable in USB-C connectors that permits gadgets to both present or obtain energy to or from the opposite machine, relying on messages they trade, a course of referred to as the USB PD Information Function Swap.
A simulated ChoiceJacking charger. Bidirectional USB strains enable for knowledge position swaps.
Credit score:
Draschbacher et al.
With the charger now performing as a number, it triggers the file entry consent dialog. On the identical time, the charger nonetheless maintains its position as a peripheral machine that acts as a Bluetooth keyboard that approves the file entry consent dialog.
The complete steps for the assault, supplied within the Usenix paper, are:
1. The sufferer machine is related to the malicious charger. The machine has its display unlocked.
2. At an acceptable second, the charger performs a USB PD Information Function (DR) Swap. The cellular machine now acts as a USB host, the charger acts as a USB enter machine.
3. The charger generates enter to make sure that BT is enabled.
4. The charger navigates to the BT pairing display within the system settings to make the cellular machine discoverable.
5. The charger begins promoting as a BT enter machine.
6. By always scanning for newly discoverable Bluetooth gadgets, the charger identifies the BT machine tackle of the cellular machine and initiates pairing.
7. By the USB enter machine, the charger accepts the Sure/No pairing dialog showing on the cellular machine. The Bluetooth enter machine is now related.
8. The charger sends one other USB PD DR Swap. It’s now the USB host, and the cellular machine is the USB machine.
9. Because the USB host, the charger initiates an information connection.
10. By the Bluetooth enter machine, the charger confirms its personal knowledge connection on the cellular machine.
This system works towards all however one of many 11 telephone fashions examined, with the holdout being an Android machine working the Vivo Funtouch OS, which doesn’t totally assist the USB PD protocol. The assaults towards the ten remaining fashions take about 25 to 30 seconds to determine the Bluetooth pairing, relying on the telephone mannequin being hacked. The attacker then has learn and write entry to information saved on the machine for so long as it stays related to the charger.
