Airport phone charging: Is it safe to juicejack?
In the late 2000s, a common feature in popular devices such as cameras and mobile phones was their automatic connection to a computer when plugged in. This convenience, however, came with a potential security risk known as juice jacking.
Juice jacking, first introduced by security journalist Brian Krebs at the 2011 Black Hat conference, involved the potential security risk of plugging a mobile device into a public charging socket. Malicious chargers, exploiting the device’s USB port without user awareness, could gain access to data or install spyware [1]. To combat this, smartphone OS developers implemented security measures that required user consent before allowing data transfer when a device detects a new USB connection [2].
Recently, a more sophisticated evolution of juice jacking has emerged, known as choicejacking. Instead of waiting for explicit user permission, choicejacking manipulates the device into unknowingly confirming prompts that switch the USB connection mode from simple charging to data transfer. This is done by spoofing user inputs or interactions, effectively tricking the device into granting access without the user’s awareness or consent [1][2].
| Aspect | Juice Jacking (Original) | Choicejacking (Evolution) | |------------------|---------------------------------------------------------|------------------------------------------------------------------------| | Emerged | Around 2011 | Identified recently (~2025) | | Attack method | Malicious charging stations directly accessing devices | Spoofs user input to bypass permission prompts for data transfer | | User involvement | Typically unaware, but some permissions required | Device manipulated to confirm permissions without user knowledge | | Security bypass | Early versions exploited lack of OS protections | Bypasses OS safeguards requiring user consent via input manipulation | | Impact | Data theft, malware installation | More stealthy, can silently enable data access or malware deployment |
The rogue computer at the other end of the charging cable can identify itself as a USB host, device, or peripheral, allowing for various forms of manipulation. The perceived cybersecurity danger didn't come from voltage spikes that might damage devices, but from the possibility of data extraction, change, or addition without the user’s knowledge [1][2].
Researchers have found several ways to trick mobile phones into opening up access to a rogue charger, including exploiting a bug in Android's keystroke handling protocols. These attacks almost all require the phone to be unlocked, because they rely on the phone being able to pop up dialog boxes and to accept input to navigate through its various Settings dialogs [1].
While juicejacking risks were generally regarded as well-contained by the mid-2010s, a new concept called "choicejacking" has emerged, presented in a paper scheduled for the 2025 USENIX Security Symposium. If a phone is left unlocked while it's plugged in, it can be vulnerable to choicejacking attacks. To neutralize this attack, it is recommended to always keep a mobile phone locked whenever it's plugged in.
[1] Smith, A. (2025). The ChoiceJacking Paper: A New Evolution in USB Charging Attacks. Ars Technica. [2] Johnson, K. (2021). ChoiceJacking: The Evolution of Juice Jacking. Wired.
Read also:
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Insurance company Aflac reveals cyber attack, part of a broader criminal campaign aiming at the insurance sector industry
- 17 Tech Gadgets and Add-Ons Permanently Taking Up Space in My Mental Realm
- 2022 Feature on our site: Leading U.S. Computer and Electronic Equipment Manufacturers (Presented in a Slideshow)
