“ChoiceJacking: всего 25 секунд на зарядке — и любой смартфон раскроет свои секреты” (ChoiceJacking: just 25 seconds on charge — and any smartphone will reveal its secrets), details a newly discovered vulnerability affecting mobile devices during USB charging. The second article, “Порнография под замком, а ключ — у Большого Брата: как забота о детях приводит к слежке за взрослыми” (Pornography under lock and key, and the key is with Big Brother: how concern for children leads to surveillance of adults), discusses the implications of age verification laws on online privacy and censorship.
ChoiceJacking
Intent: The clear intent of the ChoiceJacking article is to inform the public and the cybersecurity community about a significant security flaw in the USB trust architecture of mobile devices, highlighting the potential for malicious exploitation through compromised charging stations. It aims to raise awareness about this new threat and the limitations of existing security measures.
Targets: The primary targets of the ChoiceJacking vulnerability are users of mobile devices, specifically smartphones and potentially tablets, from a wide range of manufacturers including Apple and devices running Android, with the exception of a specific Vivo model. Devices with USB debugging enabled are particularly vulnerable. The attack itself targets the device’s operating system and its handling of USB connections and user input prompts.
Maliciousness: The nature of ChoiceJacking is inherently malicious. It describes an attack vector that allows unauthorized access to a mobile device’s data and potentially enables code execution without the user’s knowledge or explicit consent. This bypasses established security protocols designed to protect user privacy and data integrity during device charging.
Lethality: While not physically lethal, the lethality in a cybersecurity context is high in terms of data compromise and potential for further system intrusion. A successful ChoiceJacking attack can lead to significant privacy violations, including the theft of sensitive files, installation of malware, and complete control over the compromised device, depending on the level of access gained (especially with USB debugging enabled).
Capabilities and Functions: The ChoiceJacking attack leverages a vulnerability in the USB protocol’s trust architecture. Its core capabilities and functions include:
- Masquerading a malicious charger as both a peripheral device (like a keyboard) and a host device.
- Injecting commands to the connected mobile device, such as enabling Bluetooth, opening settings, and accepting pairing requests.
- Bypassing on-screen prompts for data access by simulating user interaction, potentially through a separate connection like Bluetooth.
- Initiating data transfer requests from the malicious charger acting as a host.
- Exploiting specific protocols like the Android Open Access Protocol or overwhelming the Android input dispatcher in some attack variants.
