Elyse Betters Picaro (with graphic elements from Ameythyststudio, Aleriimingirov, and Romansa design art via Canva) / ZDNET
Giving your phone some extra juice via a public charging station is always a handy option, but it may not be a safe one. As described in a new report from NordVPN, cybercriminals can now turn to a trick called choicejacking, in which they’re able to transfer data from your phone to a device disguised as a charger.
What is choicejacking?
With this new method, a malicious device that looks like an innocent charging station or port manipulates different functions on your phone. In doing so, your phone is tricked into connecting to the device via data transfer mode without your input or permission. Once that connection is made, the criminal’s device can access and steal your photos, documents, contacts, and other personal files.
Also: 7 ways to lock down your phone’s security – before it’s too late
“Choicejacking is particularly dangerous because it manipulates a device into making decisions users never intended — all without them realizing it,” Adrianus Warmenhoven, a cybersecurity advisor at NordVPN, said in the report. “Whether it’s granting access to data or downloading malware, these attacks exploit the trust we place in everyday interactions with our smartphones.”
Advanced upgrade to juicejacking
Choicejacking is actually a more advanced upgrade to the older practice of juicejacking. With juicejacking, hackers install software on charging stations at airports and other public spots that can then automatically scoop up data from your connected phone. In certain cases, your phone may lock down, preventing you from stopping the transfer before it’s too late.
Also: Traveling this summer? Consider this before using airport Wi-Fi and charging ports
Juicejacking first popped up way back in 2011. But in a win for the good guys, mobile OS developers cooked up a way to stop this threat. Let’s say a smartphone connects to a charging station. If the station indicates that it supports Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) for data transfers, that means it’s likely a hacker’s device impersonating a charging station. In that case, the user is asked whether they want to allow a data transfer or just charge the phone.
But in the latest twist, researchers from Graz University of Technology in Austria found a way to bypass the OS-level protections against juicejacking. Malicious devices can now impersonate USB or Bluetooth input devices to enable a data transfer mode. Affecting Android and sometimes iOS devices, this tactic can use such technical methods as keystroke injection, input buffer overflows, and protocol abuse to complete a data transfer in as few as 133 milliseconds.
Also: The best power banks you can buy in 2025: Expert tested and reviewed
“Choicejacking represents a dangerous evolution in public charging threats,” Warmenhoven added. “With a single deceptive prompt, attackers can trick people into enabling data transfer, potentially exposing personal files and other sensitive data. Public USB ports should never be treated as safe, and awareness is the first line of defense.”
How to prevent your phone from being choicejacked
NordVPN offers the following tips:
- Make sure your phone is updated with the latest OS version and security patches.
- Prevent your phone’s battery charge from falling below 10% to avoid having to recharge it in a public place.
- Instead of using a public charging port, carry a portable power bank or external battery to juice up your phone.
- Rather than use USB ports on public charging stations in hotels and airports, carry your own USB adapter and cable and use a standard AC outlet.
- If possible, keep your phone in “charge only” mode to avoid any unwanted data transfers.
Also: Every iPhone owner should use MagSafe – I can’t live without these 7 favorite accessories
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
