Bypassing Mobile Lock Screens via MTP and USB Power Delivery

TLDR: Researchers at Black Hat 2025 demonstrated that modern Android and iOS devices are vulnerable to USB-based file access attacks that bypass user consent prompts. By exploiting logic flaws in the Media Transfer Protocol (MTP) and USB Power Delivery (PD) state machines, an attacker can extract or delete data from a locked device. Pentesters should prioritize testing USB interfaces for these state-machine manipulation techniques, while users should avoid untrusted public charging stations.

Mobile security has long operated under the assumption that a locked device is a fortress. We rely on disk encryption and the physical barrier of the lock screen to protect our data from unauthorized access. However, the hardware interface we use to charge our phones—the USB-C port—is far more complex than a simple power conduit. It is a high-speed data bus capable of negotiating complex protocols, and as recent research shows, it is a massive, often overlooked attack surface.

The Mechanics of the MTP State Machine Attack

The core of this research centers on how mobile operating systems handle the transition between charging and data transfer. When you plug a device into a computer, the operating system must decide whether to expose the file system. On Android, this is typically gated by a user consent prompt that only appears after the device is unlocked. The researchers identified that this security boundary is not as rigid as it appears.

By manipulating the USB Power Delivery (PD) protocol, an attacker can force the device into a state where it believes it is connected to a trusted accessory. The attack exploits the fact that the MTP service on Android is started by the UsbManager system component as soon as a connection is detected, even if the device is locked. While the MTP database is initially empty, the researchers found that they could trigger the population of this database by manipulating the USB state machine.

The vulnerability lies in the logic governing how the MTP service handles file handles. Specifically, the doTruncateObject method in the MTP message handler lacks the necessary input validation or sanity checks found in other parts of the stack. An attacker can send a series of crafted MTP messages to open a file descriptor and then truncate the file to zero bytes. Because this logic executes before the user has even interacted with the device, the attacker can effectively wipe user data from a locked phone.

Technical Exploitation and Logic Flaws

The attack flow relies on a precise sequence of operations. First, the attacker connects the device to a malicious USB host. The host initiates a USB PD data role swap, forcing the mobile device to act as a USB device rather than a host. This transition is critical because it allows the attacker to interact with the MTP stack directly.

The following snippet illustrates the logic flaw in the MtpDatabase vendor customization that allows for unauthorized file path resolution:

// Simplified logic showing the lack of validation for file handles
public int getObjectFilePath(int handle, char[] outFilePath) {
    // The handle is used directly to query the MediaStore
    // without verifying if the device is in an unlocked state.
    Cursor c = resolver.query(objectsURI, PROJECTION, ID_WHERE, arg, ...);
    // ...
}

By iterating through a range of file handles starting from 10,000,000, the attacker can systematically target files. The CVE-2024-24193 and CVE-2024-54096 entries detail how these logic vulnerabilities allow for unauthorized access. The researchers demonstrated this by reading images from a locked Pixel 8a, proving that the lock screen is not a sufficient barrier against a sophisticated USB-based adversary.

Real-World Implications for Pentesters

For those of us conducting physical security assessments or red team engagements, this research changes the threat model for mobile devices. If you have physical access to a target's device, you no longer need to brute-force a PIN or exploit a zero-day in the lock screen UI. You only need a malicious USB-C device capable of emulating the necessary PD and MTP handshake.

During an engagement, you should treat the USB-C port as a high-risk entry point. If a client has a "no-charging-in-public" policy, this research provides the technical justification for it. When testing, focus on the OWASP Mobile Application Security Testing Guide for guidance on identifying broken access control in hardware interfaces. If you are performing a bug bounty, look for vendor-specific implementations of the MTP stack, as these often contain the most egregious logic errors.

Defensive Considerations

Defending against this class of attack is difficult because it targets the fundamental design of USB-C. While vendors like Apple and Google have introduced "Lockdown" or "Restricted" modes to disable USB data communication when the device is locked, these features are not always enabled by default, and as seen with CVE-2025-29200, they are not immune to bypasses.

The most effective defense remains the simplest: do not connect your device to untrusted hardware. If you must use a public charging station, use a "USB condom" or a data-blocking adapter that physically disconnects the data pins. For organizations, enforcing the use of managed, secure charging infrastructure is the only way to mitigate the risk of state-machine manipulation.

Security researchers should continue to audit the USB stacks of major mobile vendors. The complexity of these protocols ensures that logic flaws will persist for years to come. If you are looking for your next project, start by fuzzing the MTP message handlers on your test devices. You might be surprised at what you find when you stop treating the USB port as a black box and start treating it as a network interface.