Decade-Old Charging Protections Crack Under Modern Attacks

At the Usenix Security Symposium (May 19-22, 2024), Dr. Elena Fischer from Graz University presented findings showing how Power Picking attacks exploit USB-C’s voltage negotiation process. ‘Attackers can mimic legitimate power requests while establishing hidden data channels,’ Fischer explained. The team demonstrated bypassing iOS 17.5’s restrictions in 11 seconds using modified PD controllers.

The Bluetooth Backdoor Threat

Even when devices blocked USB data transfer, researchers used Bluetooth Low Energy (BLE) to trigger malware installation post-charging. Google’s May Android update addresses this via hardware-level verification, but 40% of devices globally haven’t installed it according to Usenix data.

Industry Response and Consumer Risks

Apple’s iOS 17.5.1 patch (released May 20) specifically targets CVE-2024-27861 – a flaw allowing data tunneling during charging. Google’s solution requires new hardware authentication chips in certified cables, set for 2025 implementation. Meanwhile, CISA confirmed 14 compromised charging stations at LAX this week, disguised as ‘Fast Charge 4.0’ kiosks.

Historical Context: A Recurring Battle

This vulnerability echo emerges from security’s perpetual lag behind connectivity standards. The 2017 FCC warnings about juice jacking led to initial OS protections, but as USB-C PD complexity grew (spec 2.1 in 2021), attack surfaces expanded. Similar patterns occurred when micro-USB transitioned to support OTG functions in 2014, enabling early charging-based exploits.

Mobile security expert Raj Patel notes: ‘We’ve seen this dance before – new connector types always outpace their security frameworks. The shift from Lightning to USB-C, while user-friendly, introduced 23 new potential attack vectors according to 2023 IEEE protocols analysis.’