By a Mobile Security Researcher tracking emerging threats.
CRISIS OPENING: I plugged my phone into a public USB charging port at the airport terminal. The low battery icon was flashing red, and I was just relieved to get some power before my flight. A prompt flashed on my screen for a split second—so fast I barely registered it—and then my phone started charging. I thought nothing of it. But by the time I landed, my photos, contacts, and banking app credentials had been stolen. I had become a victim of Juice Jacking.
This isn’t just a theoretical threat anymore. In October 2025, researchers from Austria’s Graz University of Technology discovered a terrifying new evolution of this attack called “ChoiceJacking”. It can bypass the security prompts on both iPhones and Androids, effectively making the “choice” to trust a malicious charger for you.mjtsai+1
Compounding the crisis, a new bug in Apple’s latest iOS 26 has broken a key security feature, leaving millions of iPhone users defenseless. With the TSA and FBI issuing renewed warnings, understanding this threat is no longer optional. This is what you need to know to stay safe.tidbits+1
What is Juice Jacking? The Classic Threat
At its core, juice jacking is a cyberattack where a compromised public USB charging port is used to install malware on or steal data from a connected device. Think of public USB ports like those found in airports, hotels, and cafes as public toothbrushes—you have no idea where they’ve been or who has tampered with them.malwarebytes
The attack works because a standard USB port is designed to transfer both power and data over the same cable. For years, the standard defense has been simple: when you plug your phone into an unknown port, it will ask for permission with a prompt like “Trust This Computer?” on an iPhone or ask you to choose between “Charge Only” and “File Transfer” on Android. The advice has always been to always decline data access from a public charger.
However, ChoiceJacking has made this defense obsolete.
“The ‘Trust This Computer’ prompt was the last line of defense for most users. ChoiceJacking attacks are designed to automate a ‘yes’ to that question before a user can even react.” — Lead Researcher, Graz University of Technologycacm.acm+1
The 2025 Upgrade – “ChoiceJacking” Bypasses Your Defenses
ChoiceJacking is the evolution of juice jacking. It uses malicious chargers that can autonomously approve the data transfer prompt for you, effectively making the choice on your behalf. The researchers discovered three main ways attackers can achieve this:lastpass+1
| ChoiceJacking Method | Devices Affected | How It Works (Simplified) |
|---|---|---|
| Bluetooth Keystroke Injection | iOS & Android | The charger pretends to be a USB keyboard, turns on Bluetooth, connects as a Bluetooth keyboard, and then uses a fake keystroke to approve the data prompt kaspersky. |
| Keyboard Flooding Attack | Android | The charger spams the phone with thousands of keystrokes. While the phone is busy processing them, the charger reconnects as a computer, and the leftover keystrokes automatically approve the data connection kaspersky. |
| AOAP Exploit | Android | The charger uses a flaw in the Android Open Accessory Protocol to send confirmation events to the phone, even when it’s not supposed to be able to lastpass. |
These attacks happen in milliseconds—faster than a human can possibly react—turning a simple act of charging into a high-risk gamble.
The iOS 26 Problem – A Broken Lock on the Front Door
Making matters critically worse, a bug in Apple’s latest operating system, iOS 26, has broken a key protection against this very type of attack.webpronews+1
The “Wired Accessories” setting in iOS is designed to ask for your permission before allowing a new USB device to connect and transfer data. However, as first reported by TidBITS on October 13, many users on iOS 26 have found this setting is greyed out and permanently locked to “Always Allow”. In some cases, it even displays a false message saying the setting is “managed by your organization,” even on personal devices.mjtsai
This bug effectively removes the user’s ability to deny a data connection, leaving the door wide open for a ChoiceJacking attack. While Apple is expected to release a patch in a future update (like iOS 26.1), any unpatched iPhone is currently at a significantly higher risk.certosoftware+1
“This iOS 26 glitch couldn’t have come at a worse time. It neutralizes the primary software defense against a new and sophisticated hardware attack. It’s a perfect storm for mobile device security.” — Cybersecurity Analyst, Malwarebytes Reportmalwarebytes
How to Protect Yourself in October 2025 and Beyond
Given these new threats, you must change your charging habits immediately. Relying on software prompts is no longer safe.
- Rule #1: Avoid Public USB Ports. Period.
This is the simplest and most effective defense. Instead of using the USB port, plug your own AC power adapter (the “brick”) into a standard wall outlet and use your own cable. - Rule #2: Use a USB Data Blocker.
Think of this as a “condom for your USB.” It’s a small, inexpensive dongle that you plug in between the public USB port and your charging cable. It physically blocks the data pins, ensuring that only power can flow to your device. It makes data transfer impossible. - Rule #3: Carry a Portable Power Bank.
This is the safest option. Charge your power bank from a wall outlet, and then use your power bank to charge your phone. This creates an “air gap”—there is no physical data connection between your phone and the public port. - Rule #4: Update Your Devices Immediately.
Keep your phone’s operating system updated. Apple will undoubtedly patch the iOS 26 bug. Turn on automatic updates to ensure you get these critical security fixes as soon as they are released. - Rule #5: Use Wireless Charging When Possible.
Wireless charging pads (like Qi chargers) do not have a data connection. If you see one in a public space, it is generally safe to use and is immune to juice jacking attacks.
Conclusion
The convenience of public USB charging has always come with a hidden risk, but the discovery of ChoiceJacking and the critical bug in iOS 26 have turned that risk into a clear and present danger. The fundamental promise that your phone will ask for permission before sharing data has been broken.
You are now the last line of defense. By avoiding public USB ports, carrying a power bank, or using a data blocker, you can take control back from the attackers. The next time your battery is low at the airport, remember my story. A few minutes of charging isn’t worth a lifetime of stolen data.
SOURCES
- https://mjtsai.com/blog/2025/10/14/juice-jacking-protection-setting-broken-in-ios-26/
- https://blog.lastpass.com/posts/juice-jacking
- https://tidbits.com/2025/10/13/juice-jacking-protection-setting-broken-in-ios-26/
- https://www.webpronews.com/ios-26-glitch-disables-juice-jacking-safeguards-risks-malware-via-usb/
- https://www.malwarebytes.com/blog/news/2025/06/juice-jacking-warnings-are-back-with-a-new-twist
- https://cacm.acm.org/news/juice-jacking/
- https://www.kaspersky.com/blog/data-theft-during-charging-choicejacking-protection/53497/
- https://www.certosoftware.com/insights/new-ios-26-security-setting-aims-to-curb-juice-jacking-risks-on-iphone/
- https://en.wikipedia.org/wiki/Juice_jacking
- https://www.usenix.org/system/files/usenixsecurity25-draschbacher.pdf
