Cybersecurity researchers have uncovered a new threat called Choicejacking that makes using public phone chargers incredibly risky. This method is an evolution of the older “juice jacking” attacks, but it cleverly sidesteps the security updates that were created to stop them. The new technique can force a smartphone to grant an attacker unauthorized access, often before the user even realizes their device is compromised.
From Juice Jacking to Choicejacking
The original threat, juice jacking, involved hackers using infected public charging stations to either steal data or install malware on connected phones. In response, smartphone manufacturers updated their operating systems to require user permission for any data transfer, giving people a choice between “charge only” and file access. However, researchers from Graz University of Technology in Austria have now found a way to bypass this security prompt entirely, tricking the phone into thinking the user has approved data transfer when they haven’t.
How the Attack Works
Choicejacking doesn’t rely on traditional malware. Instead, a malicious charging station spoofs input devices like a USB keyboard or Bluetooth device to fake user actions. It can use these fake inputs to quietly switch the phone into data-transfer or debug mode, a process that takes less than 133 milliseconds—faster than a human can blink. This speed means the phone grants access before the user has any chance to see a prompt or intervene.
According to cybersecurity advisor Adrianus Warmenhoven, the primary danger of Choicejacking is that it manipulates the device into making decisions the user never intended. Once the malicious charger tricks the phone into granting access, an attacker can secretly view photos, read messages, or install malicious software. It exploits the user’s trust in the security prompts that are supposed to keep them safe, creating a dangerous illusion of control.
The discovery of Choicejacking reinforces the long-standing warning from cybersecurity experts: do not trust public USB ports. Whether at an airport, hotel, or café, a compromised charger could be waiting to hijack a device. This warning is crucial for both Android and iOS users, as the underlying vulnerabilities exist on various platforms. The research detailing this attack has been accepted for presentation at the prestigious 34th USENIX Security Symposium in August 2025, highlighting the seriousness of the threat.
Reference:
