New Cyber Attack Exposes Security Flaws in iOS and Android Devices
United States, Monday, 28 April 2025.
The ChoiceJacking attack reveals persistent vulnerabilities in mobile devices, bypassing long-standing security measures and enabling data theft through malicious chargers.
Historical Context and Discovery
The vulnerability’s roots trace back to 2012 when Apple and Google implemented protective measures requiring user confirmation before allowing data access through charging ports [1]. However, researchers at Austria’s Graz University of Technology have recently uncovered a critical flaw in these defenses, demonstrating that the fundamental assumption behind these security measures was flawed [1][3]. The researchers discovered that attackers could indeed inject input events while establishing data connections, contrary to what platform developers had assumed [3].
Technical Implementation of the Attack
The ChoiceJacking attack employs a sophisticated approach, initially masquerading as a USB keyboard before utilizing USB Power Delivery to change roles and act as a USB host [1]. This technique has proven successful against devices from eight different manufacturers, including the top six by market share [1]. The attack takes approximately 25-30 seconds to establish unauthorized access, maintaining read and write capabilities to the device’s files for the duration of the connection [1].
Industry Response and Mitigation Efforts
Major technology companies were alerted to these vulnerabilities in mid-2024 [3]. Apple has responded by incorporating additional authentication prompts in iOS 17.5, though further security measures are still pending for iOS 18 [3]. The vulnerabilities have been formally documented under multiple CVE identifiers, including CVE-2025-24193 for Apple and CVE-2024-43085 for Google [1]. Several manufacturers, including Xiaomi, Huawei, Vivo, and Honor, are currently developing solutions to address these security concerns [3].
Broader Security Implications
This discovery comes amid growing concerns about mobile device security, particularly in sensitive sectors. Recent data shows that mobile devices contribute to nearly 70% of healthcare data breaches [4], highlighting the broader implications of such vulnerabilities. While security experts note there are no documented cases of ChoiceJacking attacks in the wild [1], the potential for exploitation remains a significant concern for cybersecurity professionals and device manufacturers alike.