- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or # to comment.
Mobile OSes currently require user interaction to approve USB host connections (like file transfers or debugging), but they trust input devices and accessories by default. ChoiceJacking exploits this gap by emulating input devices to automate the approval process.
Luckily it is easy to mitigate this attack in case you are a high risk user. Just disable connection of all USB gadgets in your system settings. (“Deny new USB gadgets” in the screenshot)
For ease of use, most phones come with the weakest setting as a default that allows all new USB gadgets (keyboards, mice, audio adapters, etc) even if the device is locked.
I have it set to the medium setting (seen below), where as long as you dont plug it into an adversaries device while the phone is unlocked you are safe. With this setting you will have to only ever use your own charging devices that you know can be trusted. You should generally never connect your phone to any USB ports that you dont own. This should be common knowledge, but sadly it isnt. The only “downside” to this is that you have to unlock your phone before plugging in stuff like a USB to 3.5mm audio adapter.
This option can be found under Settings > Security & Privacy > More security & privacy > Restrict USB
What Android version is that screenshot from? I don’t see that option on Android 16.
Android 15
Did they seriously remove that on 16? Did you search for any similar terms in the settings? Maybe its a developer option now. Google always does the dumbest shit man.Yeah, searched around in the settings and in developer options for a bit and didn’t see anything that looked like it.
How does it behave for you then? Does it accept new devices while locked?
Looks like there is a new system: https://www.youtube.com/watch?v=w-cgDR4ORvY
If you cant fully disable all usb devices then thats a problem tho, because it would only protect you if the device is locked.
They also seem to be bundling this new Advanced Protection Mode with bad features like the disabling of non google app sources and AI call transcription to do “scam detection”
https://techwiser.com/android-16-is-coming-6-new-security-features-to-keep-you-safe/
Don’t have a USB device to plug into it at the moment; I’m traveling. I’ll check when I get home in a week and change though
GrapheneOS prevents this.
Unless it’s a 0-day or not patchable in software.
data-only USB cables work with all smartphones
