Serious security flaw discovered in public USB charging stations allows hackers to control devices

Although today's smartphones are equipped with protection mechanisms to prevent unauthorized access via USB ports, such as notifications asking users to confirm before allowing data transfer on iOS and Android, that is still not enough to prevent new threats.

One of these is a form of attack in which hackers take advantage of controlled charging stations to install malware, steal data or gain access to devices when users plug in to charge.

Cybersecurity experts have recently discovered a serious security flaw in this protection system, enough to turn any charging operation into a potential security risk.

A new way to attack phones via USB port: Users are completely unaware

According to a report from technology news site Ars Technica, security experts have just warned about a new attack technique called "choice jacking", which allows hackers to easily bypass authentication layers and gain access to smartphones without users realizing it.

Specifically, the hacker will install a fake device inside the charging station, making it appear as a USB keyboard when connected to the phone. Next, the attacker takes advantage of the USB charging mechanism to perform a technical operation that allows the charging device to initiate a Bluetooth connection.

Once this connection is established, the rogue device can automatically display a file transfer request pop-up, and “tap” the confirmation in the guise of a Bluetooth keyboard.

That way, the operating system's protections, which are designed to keep out foreign peripherals, are virtually disabled. In a worst-case scenario, hackers could access all of the phone's personal data, including files, photos, contacts, and account information.

The method was tested by researchers at the Graz University of Technology in Austria on a variety of phone models from major manufacturers, including Samsung and Apple – the world’s largest smartphone sellers. The results showed that all devices allowed data transfer via USB if the phone screen was unlocked.

Most devices are still "open" to hackers: No radical solution yet

Although smartphone manufacturers are aware of the risks posed by “choice jacking” attacks, most devices on the market today do not come with strong enough protection mechanisms.

Only a few, like Apple and Google, have implemented measures that require users to enter a PIN or password before allowing trusted devices to be added and data transfers to be enabled.

However, most other manufacturers have yet to adopt similar protections, leaving devices vulnerable to hackers if they are connected to a fake charging station.

Even more worrying is the risk if your phone has USB debugging enabled, which is often used during app development. With the powerful command line tool provided by Google that allows communication between your computer and your Android device (ADB tool), hackers can exploit this connection to install malicious apps, run arbitrary scripts, and even gain access to the system with higher privileges than usual.

How to protect yourself from attacks via public USB charging stations?

The simplest and most effective way to avoid falling victim to hacker attacks is to completely avoid using public USB charging stations, especially in crowded places like airports, shopping malls, train stations or hotels.

These locations are easy targets for hackers to install fake devices into the charging system. Instead, you should:

- Bring your own power bank when traveling or moving for a long time. This is the safest and most convenient solution to ensure that your device always has enough battery without having to rely on an external charging source.

- Use your own charger and cable to plug into a regular power outlet instead of a public USB port.

- Equipped with a “USB data blocker” – a small device that plugs into the USB cable, completely preventing data transmission while charging, only allowing power transmission.

- Make sure your phone is always updated with the latest security patches from the manufacturer. Many vulnerabilities are fixed through operating system updates.

- Turn off USB Debugging in developer options unless you really need it. This will reduce the risk of your device being remotely controlled via tools like ADB.

- Do not accept any requests that pop up suddenly, such as requests to “trust the device”, transfer files, or connect to Bluetooth while plugged in, especially if you are not sure of the origin of the charging station.