Watch Your Phone: Bypassing Mobile USB Security via Choice-Jacking and Stack Exploits

Introduction

For years, the security community has warned against 'juice jacking'—the risk of using public USB charging stations that might secretly steal your data. In response, mobile operating system developers implemented robust mitigations: mandatory lock screens, encrypted storage, and user confirmation prompts that appear the moment a data-capable host is detected. These defenses led many to believe that the era of simple USB data theft was over.

However, new research from Florian Draschbacher and Lukas Maar of Graz University of Technology reveals that these protections are not as infallible as we hoped. By exploiting conceptual flaws in the USB trust model and implementation bugs in the Android USB stack, attackers can still gain full file access. This post dives into their 'choice-jacking' techniques and a clever state-machine exploit that bypasses the Android lock screen, proving that your phone's USB port remains a high-risk interface.

Background: The Evolution of USB Security

Traditionally, when you connect a phone to a computer, it uses the Media Transfer Protocol (MTP) to share files. To prevent a malicious charger from acting as a secret computer, Android and iOS require the user to manually 'Allow' the connection. Furthermore, modern devices utilize File-Based Encryption (FBE). While a device is locked but has been unlocked at least once since boot (After First Unlock or AFU mode), the encryption keys reside in memory, making the files technically accessible if the OS can be tricked into serving them.

Technical Deep Dive: The Art of Choice-Jacking

Bypassing User Consent with AOAP and Bluetooth

The researchers' first breakthrough is a technique they call 'Choice-Jacking.' The core idea is that a malicious charger doesn't just wait for a connection; it proactively manipulates the user interface to accept its own requests.

The Attack Flow:

1. Wait for Unlock: Users frequently check their phones while charging. The charger waits for the device to enter an unlocked state.
2. Trigger the Prompt: The charger (acting as a USB Host) initiates an MTP connection, which triggers the 'Allow access to phone data?' prompt on the screen.
3. Inject Input: Almost simultaneously, the charger uses a secondary hidden interface to click the 'Allow' button. This is achieved via:
   • Bluetooth: A hidden Bluetooth HID (Human Interface Device) module inside the charger that pairs and sends a 'click' event.
   • AOAP (Android Open Accessory Protocol): Exploiting a flaw where accessory mode can inject input events even while the MTP prompt is active.

In demos on Samsung devices, this process happens so quickly (milliseconds) that the user only sees a brief flicker on the screen, if anything at all.

Exploiting the USBManager State Machine

The most impressive part of the research involves bypassing the lock screen on a Google Pixel 8 without any user interaction. This vulnerability lies in how the USBManager handles timeouts during role transitions.

The Timeout Exploit:

1. Accessory Mode Request: The attacker sends a specific USB control request to put the phone into 'Accessory Mode'.
2. The Delay Tactic: Normally, the phone expects the host to re-enumerate the device immediately. The attacker intentionally fails to re-enumerate.
3. The State Reset: Inside the Android source code, a timeoutHandler is registered for 3 seconds. When the attacker-induced delay hits this limit, the USBManager attempts to recover by resetting the USB functions to their default state.
4. The 7-Second Window: If the user has 'File Transfer' set as their default USB configuration in Developer Options, the system switches to MTP. Crucially, during this specific recovery transition, the OS fails to check the lock screen status. This opens a 7-second window where the attacker has full MTP access to the file system. By repeating this cycle, an attacker can scrape the entire device.

Implementation: Truncating Files on Huawei

The researchers also highlighted vendor-specific flaws. On certain Huawei devices, the MTP implementation included a custom lookup logic for file handles. They discovered that by targeting handles above 10 million, they could bypass the hasStorage() sanity check. While they couldn't read every file, they could send do truncate object commands to delete the contents of user images and documents—all while the device remained locked.

Mitigation & Defense

The vulnerabilities discovered have led to significant changes in mobile OS security:

• OS Updates: Android 15 and iOS 18.4 have introduced stricter requirements for user authentication before any USB data transition occurs.
• Lockdown Modes: Users are encouraged to use 'Lockdown Mode' (Android) or 'Restricted Mode' (iOS), which disables the USB data pins entirely when the device is locked.
• BFU vs AFU: To ensure maximum security, if you suspect your device has been tampered with, reboot it. Files are much harder to access in the 'Before First Unlock' (BFU) state because the encryption keys have not yet been loaded into RAM.

Conclusion

The work of Draschbacher and Maar serves as a stark reminder that physical interfaces are difficult to secure perfectly. Even with encryption and prompts, the complexity of the USB stack provides a fertile ground for state-machine exploits and input injection. To stay safe, the advice remains classic but reinforced: be wary of where you plug in, use 'power-only' USB cables (data blockers) in public, and always keep your device software up to date. Watch your phone—because the port you use to charge it might be the door an attacker uses to strip it.