Today, mobile phones have become a vital extension of our lives. From managing our schedules and communications to handling our finances, these devices contain a large amount of personal and sensitive information. This makes them a primary target for cybercriminals. With the increasing reliance on our smartphones, charging these devices in public places has become undeniably popular.
Airports, shopping malls, hotels, and coffee shops are just a few of the many places that have installed USB charging stations to meet the need to recharge our devices while we’re away from home. However, this convenience comes with a high security risk, especially with the emergence of new attack techniques like choicejacking.
Choicejacking is a modern threat that has evolved from previous attacks such as juicejacking, and it highlights a critical vulnerability in the security of our mobile devices. This choicejacking technique allows cybercriminals to take control of devices connected to public charging stations and steal or manipulate personal data—without the user’s knowledge or consent.
With the increased digitalization of our daily lives, this choicejacking threat poses a serious danger to users' privacy and security. Below, the expert team at ITD Consulting provides a complete guide on choicejacking and how to prevent it.
The Emergence and Evolution of Public Charging Threats
To understand why choicejacking is such a dangerous threat, it is necessary to put it into context with the development of previous attacks, like juicejacking. Juicejacking first appeared in 2011 and involved using modified USB ports to infect mobile devices with malware or steal personal data—even when the user was simply trying to charge their phone. This juicejacking attack was carried out through public USB ports that allowed both charging and data transfer.
In fact, many public chargers not only provide power but also allow file transfers between the connected device and the charging station, opening a door for cybercriminals to access information stored on the phone through juicejacking.
In response to this threat, technology companies and operating system developers like Android and iOS began implementing security measures to protect users from juicejacking. The most significant of these measures was the introduction of a warning message that appears on the device when connected to a USB port.
This message asks the user to choose between two options: "Charge only" or "Transfer data." This was designed to prevent devices from initiating data transfers without the user's explicit consent, thus preventing juicejacking.
However, innovation in cybersecurity—and the ingenuity of attackers—does not stop, and that is when choicejacking emerged. This choicejacking attack is far more sophisticated than juicejacking. With choicejacking, cybercriminals not only manipulate data transfer but can also bypass existing protections, making the mobile device automatically enable data transfer mode without the user knowing or approving it.
What Is Choicejacking and How Does It Work?
Choicejacking exploits an inherent vulnerability in the process of charging and connecting mobile devices to public USB ports. In a typical choicejacking attack, the attacker creates a malicious device that presents itself as an ordinary USB charging station. However, unlike a legitimate charging station, this device has been modified to carry out malicious choicejacking actions.
When the user connects their mobile phone, this choicejacking device manipulates the phone’s operating system to silently enable data transfer mode, without any user intervention. This choicejacking attack happens in a fraction of a second, exploiting specific protocols and vulnerabilities in mobile operating systems such as Android or iOS.
The cybercriminal can use various techniques, such as keystroke injection (simulating user commands), protocol abuse, or buffer overflow to trick the device into activating data transfer mode without the user noticing, thus becoming a victim of choicejacking.
Once this mode is enabled through choicejacking, the attacker can access information stored on the mobile device, such as photos, videos, documents, contacts, stored passwords, emails, and even financial information. The execution speed of a choicejacking attack is so fast (around 133 milliseconds) that users have no time to react or realize their device has been compromised.
Adrianus Warmenhoven, cybersecurity advisor at NordVPN, has emphasized the danger of this type of attack by stating: “Choicejacking is particularly dangerous because it manipulates a device into executing actions users would never agree to—and without them even realizing it.” This choicejacking attack highlights how vulnerable a mobile device can be, even in everyday situations like charging it in a public place.
Comparison Between Choicejacking and Juicejacking
Although choicejacking and juicejacking are similar techniques that exploit malicious USB ports, there are key differences that make choicejacking a more dangerous threat.
1. User Interaction
Juicejacking: Juicejacking generally requires user interaction. When a device is connected to a compromised USB port, the user is prompted to accept data transfer or enable access to the device. This gives the user a chance to avoid juicejacking if they recognize the prompt.
Choicejacking: Choicejacking, on the other hand, requires no user intervention. The choicejacking attacker stealthily manipulates the device to enable data transfer mode without the user’s knowledge, making it much harder to detect.
2. Speed and Stealth
Juicejacking: Juicejacking attacks are relatively slow compared to choicejacking. Since they require user approval for data transfer, there’s time for the user to detect the threat.
Choicejacking: This choicejacking attack is completed within milliseconds (around 133 ms), making it nearly undetectable to the user.
3. Scope of the Attack
Juicejacking: Its main goal is to infect the device with malware or steal information. The impact of juicejacking is usually more limited and focuses on data accessible to the attacker.
Choicejacking: In addition to stealing information, choicejacking can grant attackers remote control of the device and allow them to execute actions without the user realizing it—vastly expanding the scope of the threat.
Why Shouldn’t You Use Public USB Ports?
Charging stations located in public places such as airports, shopping malls, coffee shops, and libraries—while convenient—pose a danger to the security of mobile devices. Although they are often not perceived as threats, public USB ports can be easily manipulated to carry out choicejacking attacks. These charging ports not only provide power to the device but also allow data transfer between the device and the charger, facilitating choicejacking. This makes the USB port a possible entry point for choicejacking attackers.
The main vulnerability in this scenario lies in the trust that users place in charging stations. Most people assume that simply connecting their mobile phone to a public charger is completely safe. However, as we’ve seen with choicejacking, even a legitimate charging port can be compromised to perform a series of malicious actions in the background.
Protection Measures Against Choicejacking
Although choicejacking is a serious threat, there are several measures users can take to protect their devices and minimize the risk of falling victim to this type of attack. Below are the most important recommendations to protect yourself against choicejacking, explained in greater depth:
1. Keep Your Operating System Updated
One of the most effective ways to defend against choicejacking is to ensure that your device’s operating system is always up to date. Smartphone manufacturers like Apple and Google release regular security patches to fix vulnerabilities that could be exploited by choicejacking cybercriminals. These patches include security fixes that can protect your device from attacks like choicejacking. Additionally, updates can also improve the built-in defense mechanisms of the operating system to address new threats such as choicejacking.
2. Avoid Using Public Charging Stations
The safest option is to avoid using public USB charging stations whenever possible. If you’re in a place with a charging station, consider safer alternatives such as carrying a portable battery or using a charger you plug directly into a wall outlet. If you have no other option and need to charge your device at a public station, try to choose only those places that offer official and verified chargers and USB ports, such as those provided by device manufacturers or trusted providers.
3. Use Your Own Chargers and Cables
It is recommended to always carry your own charger and cable when traveling or when away from home. If that’s not possible, make sure the charger you’re using comes from a reliable source. Third-party cables can be an ideal tool for attackers, as they can be tampered with to execute a choicejacking attack. Also, keep in mind that a charger that appears to be legitimate could be a compromised device that puts your security at risk.
4. Enable "Charge Only" Mode on Android
Android users have the option to enable “Charge only” mode when connecting their device to a USB port to avoid choicejacking. This option blocks data transfer, ensuring that the port is only used to charge the device. By enabling this mode, the risk of an attacker accessing your personal data without your consent is eliminated.
5. Don’t Let Your Device Battery Fully Drain
Plan your device usage to prevent the battery from reaching critical levels. Keep the charge above 10% to avoid depending on public charging stations when you need them most. Having a portable battery on hand allows you to charge your device safely without needing to use public USB ports, effectively preventing choicejacking.
6. Don’t Trust Unknown Cables and Chargers
Never use cables or chargers provided by strangers. Even if they appear harmless, they may be designed to execute a choicejacking attack. It is essential to only use trusted chargers and cables—preferably those that come with the device or are from brands recognized for their security.
Choicejacking is not only one of the most recent threats in the field of cybersecurity, but also a clear example of how cybercriminals are constantly adapting and refining their techniques to exploit vulnerabilities in mobile devices. Although smartphone manufacturers and operating system developers have implemented a number of security measures—such as USB connection permission controls and software updates—these protections are not always enough to counter the sophisticated attacks that choicejacking represents.
Cybercriminals exploit precisely this constant evolution of technologies and security gaps, which shows that the field of cybersecurity should never be considered completely safe or resolved. Therefore, the responsibility of protecting our devices does not fall solely on the manufacturers, but also on the users themselves. Staying informed about new threats like choicejacking, and adopting proper security habits, is essential to mitigate risks.
This includes not only practices such as regularly updating operating systems and using personal chargers instead of public stations but also developing a critical awareness of the possible attack vectors used in choicejacking. Ultimately, digital security depends on a preventive and proactive approach that involves both user education and the implementation of proper protection measures.
Only with a comprehensive and vigilant approach can we reduce the risks that threaten our privacy and personal data in an increasingly interconnected world. If you want the best cybersecurity solutions for your business, write to us at [email protected]. We offer personalized advice to help you keep your data safe.
EN 
ES