> On Twitter, the Denver FBI office (via CNBC) said that public charging stations in hotels, airports, and shopping centers can be a malware attack vector.
Those might also qualify to some extent as "public USB port", although strange USB devices are obviously a well known security risk at this point (I hope).
What's going to be really interesting is the security of modern USB cables with their own chips that retailers blindly buy from foreign and otherwise unaccountable manufacturers and wholesalers.
The cables are pervasive and most people won't consider their charging or data cables to be attack vectors.
i don’t think this is true at all—-i’ve seen many many many discussions here circling the dangers of charging on unknown devices. we’ve had numerous discussions on usb condoms. we’ve known this was a thing for years… we’ve had discussions on variations of this at defcon years before you could buy chipped cables from sites like hak5..
i’m not sure why you would imply “everyone” here ever denied this was a thing, but it just isn’t true.
in this day and age i wouldn't be surprised if there was an attack vector whereby the battery firmware was somehow overridden with some insane USB packets, which then propogated the malware from the powerbank to the phone
I use a power bank with standard electrical plugs at least partially for this reason. All a malicious receptacle can do is start a fire, which is relatively obvious.
Sometimes you’re lucky enough to even have cables fail in this way. I have a couple of cables that don’t work for data any more but do for charging, and I use this deliberately to power my Sony a6100 as a webcam—give it a USB cable with data, and it switches into a different mode (e.g. file transfer).
(Why do USB cables last so poorly? I’ve never had an A to Micro-B cable last even a quarter of the spec’s minimum rated lifetime (10,000 insertion/removal cycles) before the Micro-B connector is uselessly unreliable, whether cheap or expensive—quite apart from the just-as-frequent failures at the clip/cable junction, like the ones I’m talking of here.)
They made a better, nicely-boxed version called SyncStop[1], which I have happily used for many years. Sadly, it appears that they were a victim of the pandemic, as their last tweet was from just before it kicked in[2] and their Amazon listings have disappeared and websites 404.
But seriously, connecting to arbitrary USB ports is very stupid on the list of stupid things to be doing. Just don't and find a regular power socket or bring your own power bank/laptop to charge from.
I guess a safe workaround for many might be to carry around a wireless charger and plug that into the public port. Charge rate will be crap but in a pinch…
I've been carrying USB condoms in my travel kit for 10 years. Very useful in USB ports in rental cars; those things always try to download all your contacts into the car.
Just buy the cheapest cable from gas station and try to connect a phone with your computer. There's no way to hack you if the Chinese manufacturer decided to skim $0.001 off production cost and use no data wires.
I've always mitigated the risks by bringing my own USB charging device that plugs into another USB port (i.e. a public USB -> power bank (charging) -> phone) or using a traditional outlet -> my own USB charger+cable -> phone. It's inefficient at times, but a lot safer.
> I've always mitigated the risks by bringing my own USB charging device that plugs into another USB port (i.e. a public USB -> power bank (charging) -> phone) or using a traditional outlet -> my own USB charger+cable -> phone. It's inefficient at times, but a lot safer.
I might be the exception here, but IMHO it is pretty patronizing how non-technical people are expected to keep up with the digital security landscape. Instead of building devices in a way that, of all things, charging them cannot hack them, we expect everybody to know that this is even a thing.
What are even the chances of this security "strategy" being successful?
I'd like to suggest a mental exercise here: Just imagine that every discipline (mechanical, medical, legal, electrical, ...) comes up with new rules to follow every month that interfere with everyday tasks that you have to perform (such as handling your bank account), but you only know about these rules when you actively research them and if you break a single rule, you are in danger of your possessions being taken away from you.
>building devices in a way that, of all things, charging them cannot hack them
Affordability, convenience, security. Choose two.
It's not patronizing, it's how the consumer electronics market works and how consumers vote with their wallet.
Consumer device are sold with USB cables that pass data and power lines for cost and convenience, so they can also transfer data while also charging their device with the same cable that came in the box and not have them go out and buy another cable.
Can you imagine being sold a phone who's cable only passed power lines and not data, "for your own security"? The consumer confusion and outrage would be massive.
If your threat model seama it, the solution is buying a USB condom which only passe through the power lines, not the data ones.
Just like the internet and TCP-IP, USB was designed from the start to be as cheap and convenient as possible, before anything else, to get market traction, which it did. Security concerns came much later.
Why can't the device being charged provide an option, such as charge only by default - and the user can turn on data transfer the same way we turn flight mode on and off?
Android allows that in settings. But AFAIK it's just a software setting, the data lines are still physically connected.
The reason why there's no physical hard disconnect available in settings comes back to what I said earlier, cost and convenience from the manufactures' perspective.
They don't want to spend 2 cents on some mosfets for HW disconnects, and they don't want to nag the user every time they plug in the phone to charge as that would hurt the UX. They want the device to sync up automagically to whatever device you're pugging it into. That's what USB was designed for, convenience.
Plus, if you nag the user every single time they plug in the USB with a security prompt, they will just get desensitized and instinctively click 'YES' all the time.
Funny you mention that when literally all flagship phones (both iOS and Android) have a "Do you trust this computer?" popup that does exactly what you described. By default, phones don't do any data transfer over USB.
That only works if other endpoint tries to act as usb host. While if it mimics usb device (classic BadUSB), then AFAIK any phone would accept without any questions.
It can act like keyboard an mouse that are valid input devices on phones too. With control of user input badusb device can download and install malware on the phone.
Now we're just taking in circles. What exactly can a malicious USB device do to a phone? On Windows it can press Win+R, but there's no equivalent on mobile.
Which keystrokes are you talking about and on which OS does that attack work? I can't think of anything that would work on my iPhone.
Open chrome (swipe up with virtual mouse, type chrome, click first entry), focus on address bar, input url of malicious apk, download it, open, confirm installation from unknown source.
> Can you imagine being sold a phone who's cable only passed power lines and not data, "for your security"? The consumer confusion and outrage would be massive.
I can imagine a phone sold with a readily accessible and highly visible physical toggle switch for power-only mode, giving consumers a discoverable built-in USB condom.
You can imagine it. But can you imagine Apple, the "everything works automagically that we don't even give you basic setting in the SW" company, actually selling something like that to consumers? It would be a heresy to everything they stand for in terms of UX and physical device design.
The toggle on and off switch would be very unApplely, yes. That does not mean you have to stop thinking, it means you need industrial designers on board.
USB-condoms are a thing you know; average (and below) users know exactly what those do and can figure out how to use them in a few seconds. I bet if Apple's genius marketeers would come up with a catchy name (like the i-Safe, but cooler) those would easily sell at 3,000% the production cost. But they never will because they tarnish the brand, and make the users think their devices are not safe by default.
But then, if the device are indeed not safe by default... are we talking about criminal charges here? Would it be fraud, or what is the name of the crime where you knowingly sell hazardous stuff to the public?
I'd like to extend my thought experiment with professionals from all disciplines explaining why this is not patronizing at all and why it is exactly what consumers want.
> Transparent casing and zero electronic components inside so you can be sure the blocker itself is secure .. Since the pure data blocker has a zero-chip design principle, it doesn’t have the SmartCharge chip featured in our 3rd Gen design. This means charging speed may be slower with some combinations of device and charger. The blocker is not compatible with extra fast charging technologies such as ‘Qualcomm Quick Charge’ or ‘Samsung adaptive fast charge’ as these require data transfer to be enabled. Public USB chargers do not support these standards either so your device will charge as normal.
I honestly don't see public USB ports going anywhere now. It was a big fad to put them in new infrastructure and it seems to be now fading, existing ports not maintained and damaged. Naked USB can't keep up with tech advances, as port shape and port specs. And they are not universal, you can't connect your lamp, or laptop in it. Regular power sockets won.
reply