It really surprised me when this article blew up on Twitter as I thought it was common knowledge to never use public chargers and avoid untrusted usb anything after “bad usb”. It showed me how I live in a tech security bubble-a good reminder.
Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
I've had booths on cyber security trade fairs hand out USB flash drives as prizes for spinning a wheel, with no awareness how that might seem odd. I guess people would be reluctant to accept them at BlackHat, but everywhere else people are very trusting towards USB stuff.
I take free USB drives any day. I always test them on the pc that belongs to the coworker that nobody likes first though ;)
In all seriousness though - 128gb usb 3.0 drives can be picked up for $10 on sale all day long. Absolutely no reason to trust some $0.25 random 4gb that a stranger gave you aside from running R-studio on it for fun or something.
I once worked at a place where the security team had a USB stick delivered to all the desktops with some digital brochure about not trusting strangers or some such. Not the cyber security team, but still.
We send staged phishing emails internally to see who takes the bait.
Leaving USB sticks lying around with some sort of callback to see who plugs them in is a really clever idea. We could probably catch the serial number range in Defender ATP.
> Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
If you're already committed to carrying Yet Another Accessory, then why not just carry a small portable charging battery. Some models are not much larger than that USB connector, and could charge the phone more than sitting babysitting a charging phone for an hour.
Yeah, I normally carry bigger portable batteries but I've got a bunch of small ones that I've typically been given by vendors which are probably good for at least getting a phone off life support.
Yes, I was in the hospital waiting room recently and they had a charging station with each type of available cable.
I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".
The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.
Android asks me if I want to have a device to allow access, This probably prevents attacks against the upper layer protocols. Is the risk vector here the USB stack itself?
I think its possible to disable the USB 'protocol' in Linux, but it would require advanced permissions on android, which probably doesn't work out of the box, with IOS who knows or cares.
This is a joke, but it could actually be a thing. An isolator that you can use to protect your device while using those unknown ports. I would call it an isolator though, or firewall, not what you called it.
Also now USB-C condom is also available, It was an issue since USB-C used data lines to negotiate voltage and I was tracking its need on my problem validation for a while now[1].
I'm not completely sure, I read on reddit that USB-C condom has some form of proxy circuit to negotiate voltage; I hope someone with better knowledge in this can explain it better.
You can even make a type of them yourself with rudimentary equipment, by cutting the data lines and connecting/not cutting the power lines. I believe you will lose the ability to negotiate faster charging, and I don't know if USB-C will work at all, but it still works otherwise.
So far, web standards don’t support online supply of direct (constant) current, alternating (sine wave) current, they can only provide imaginary (square root of stealing your) current.
So you can’t trust any site for power.
—-
Although teleporting power Via quantum entanglement has been demonstrated as possible given a line of communication.
So crazily, “power over data” may happen one day.
Perhaps, we can all look forward to hackers draining our last 1% of battery power as a reward for not using end-to-end power encryption.
I still get the occasional popup that gets past AdGuard on my phone and tries to add spam to my calendar on my iPhone but it’s definitely a lot better than it used to be. I got one a few months ago that had instructions on installing a custom management profile, now that cracked me up.
If you've spent any time on here you know that no one actually clicks the links to read the article. Users need only trust the pages with an orange header.
I mean the upstream comment is basically saying don't trust clicking any links on the Internet--even on a site that presumably weeds out really dodgy stuff quickly. Indeed, not using the Internet is a solid, if rather extreme, security process to follow.
The thing about Reddit is that it has greater "discoverability" through search, profiles and algorithmic "hot" pages, so communities like that inevitably become swamped with low quality posts. There's a few niche subs that just degenerated into posting photos of purchases that arrived in the mail today instead of actually discussing the use of the tools.
To be fair I also didn't know for a long time that HDMI is not a trustworthy port and can be used to spread malware [0]. And I'm usually not thinking about that when plugging my laptop to a projector.
Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.
USB defaults to 5v if there is no negotiation, and it is said that many devices will draw 1a under these circumstances (even though technically the spec says they should expect less) -- it's the standard low speed charging that you'd get plugging your device into a dollar store charger.
Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.
I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
I try to always travel with a “USB data condom”. The one I have is called a “PortaPow”, and it’s red. It was about $10 on Amazon and it’s a great investment for scenarios where I _reasonably_ trust a power-only USB port not to have been tampered with, like the built in ports on aircraft.
Build condoms into the devices themselves via a next USB spec requiring a hardware switch to choose power-only / power+data and these kind of issues could disappear. Apple might hate it though. Then again, capacitive hardware switches could be ok.
> _reasonably_ trust a power-only USB ... like the built in ports on aircraft.
I'm with you, this might fall under "safe". Then again, from threads posted here and elsewhere, and through personal investigation...the infotainment systems on airplanes are an absolute disaster with regards to security and software design. They're often part of the same system as the provided USB ports. While the risk is small, there's nothing stopping 1 person from running a script that exploits some flaw in the outdated Linux distro the airline is using to manage their in-flight entertainment.
There's also a chance I'm paranoid and spend too much time here, but I'm gonna stick with my Altoids.
The one I have is designed to allow you to visually inspect the connector terminals. So at least regarding my (USB-A) ones, I can confirm only the power lanes exist.
I probably would have guessed that software vulnerabilities were rare for just plugging your smartphone into a USB port (without some additional user approval on the device). Obviously a port could probably be easily configured to just fry your jack/device but that’s not a big part of my threat model anyway.
You would have guessed wrong. Most devices, especially multi-vendor android devices, have exploitable subsystems which never touch the UI visible OS layer.
I lately had trouble convincing some non-tech acquaintances that IoT "cloud-enabled" cameras all over their house (including bedroom) as anti-break-in measure are a bad idea as those devices or the storage in some chinese cloud could be hacked. They ridiculed this as "far fetched".
I'll never be able to bring up this risk with USB to those guys.
Getting a phone with a large enough battery (>5000mAh) is good opsec. I have a 10000 mAh battery in my phone, and I only need to charge about twice a week.
I'm seeing a lot of hysteria in response to this random tweet by the Denver FBI's social media person.
Do we know of a single real-world use of this hypothetical exploit? Do we know that iOS's (and presumably Android's) protection against untrusted device access isn't enough?
Can you elaborate on this? What kind of phone? Android or iOS? Fully patched? What kind of infection? How did you discover it? How did you get rid of it?
There have been many jailbreaks available that only required plugging the phone in and running some program on the other end of the cable. There's been jailbreaks where all you needed to do was visit a website... Apple's security isn't as bullet-proof as some make it out to be.
So, is it plausible a malicious charging station could gain root and sideload something nefarious on an iPhone? Absolutely. Particularly for non-tech-savvy folks desperate to get a charge before their connecting flight...
Has it happened? ...No idea. I guess that's where the anecdotes come in...
My point was that the person who made the comment stating that they had an iPhone, the person I'm replying to went on to ask them if they had iOS or android
It’s been many years since I rooted (or even owned) an android phone but is there really no interaction from the user required beyond plugging it in? On iOS there’s a pop up asking if you want to trust the computer, and that’s after you’ve unlocked the screen
For a non-techy, the hurdles you just described are an annoyance in the way of getting a quick charge - not obvious security issues. After all, this charging station is operated by the amusement park/airport/conference/whatever... if it asks you to approve it why not?
And yes, in the past many iOS jailbreaks were shockingly simple. The website one in particular - you went to a URL and clicked a button... your phone rebooted and was jailbroken.
Your non-tech-savvy folks will pound through nearly any popup if they are desperate to get a charge before their connecting flight, for instance.
The popup really should be a toggle somewhere in the settings that forces a user to explicitly enable data - not a popup users are mostly self-trained into ignoring.
Additionally, real charging stations should not offer cables with data lines at all.
It just doesn't seem like a plausible hack when you take in all the circumstances that have to line up correctly:
1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
It just seems like alot of work for something that in all likelyhood would not work.
None of these are necessary, except half of #2. All you'd need is a "middleman" device that is subtle enough to avoid notice by the person plugging in, just like how credit card skimmers work.
> 1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
Doesn't matter, because you're (unwittingly) plugging into the attacker's device, not the station's.
> 2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
You don't need to "inject" anything; you just need to physically place it between the user and the actual port and disguise it enough that people not paying attention won't notice. Or even just put a fake "charging station" in a place that the station didn't have one.
> 3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
People are plugging in their phone so they can use it. They'll plug in the phone, unlock it, and browse the internet. What can't you do in that situation?
I don't have an iOS device to test, but just found a video [1] showing someone connecting a USB keyboard and immediately using it with no prompts. Same on Android.
Even better, here's [2] a direct example of this attack using an O.MG cable [3].
Android allows you to select the 'USB mode' between charging, MTP/PTP media transfer, debugging (if enabled), and filesystem.
If not an exploit, you need the victim to do something a lot more obviously (though the absolute obviousness of course remains debatable) dumb/risky than merely plug in.
“This fast charge station requires accessories access to your device for high speed charging”
Anyone who would believe a notice like that (or would click trust without thinking) is a prime target.
It’s like many scam/spam emails- they often intentionally look a bit dubious, poor grammar, typos etc as the attacker just wants to deal with low hanging fruit, not someone who may wise up quickly that something isn’t right.
I'm confused about #1. If I have a power adapted plugged into the wall, and a USB cable from that power adapted to my phone, how exactly could my phone be compromised?
The scenario was talking about a power bank where you plug a USB cable into, not where you plug your own power adapter into. Lots of people, myself included, don’t carry power adapters or even charging cables on them on a day-to-day basis.
Using your own power adapter and own power cable you will be fine.
Unless someone has tampered with either of them while you were distracted momentarily but that’s too high risk/inconvenient for an attacker for you to worry about.
More practically, you visit a place that has public chargers, you study them and create a compromised clone, and then you swap out the real one. Like card skimmers.
We do know of shady companies that sell "own this phone" USB devices to governments, but AFAIK they only sell to governments and the details aren't available to the public.
I have never heard about a non-government sponsored attacker doing that kind of thing. If this is relevant or not to you, it's a matter of your threat model. If I were a journalist, I would be very weary. Personally, I don't plug my phone on random outlets and don't plug random devices on my computers, but it's clearly an overreaction.
Heh, if I'm remembering right, a couple of years ago there was a public charging station at DEFCON that was sponsored by the NSA. I did not plug my phone into it :D
Usually the risk for something like is that if there's some unexploited bug in the USB stack or the OS. Which, from what I know from writing software, I don't trust shit.
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
Wouldn't this be considered the same attack? Users would connect the cable, unlock their phone, and then would need to explicitly "Trust" the external device attempting to connect to their phone via USB.
I suppose the difference is that people may be using the cable to connect to a device where that prompt is expected, in contrast to the "charging port in an airport" scenario where it would seem appropriately alarming.
Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."
I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
> I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
Okay, but tell me how it can be done if you want me to take the threat seriously. You could also say “always store your phone in a sound-isolating container because attackers can hack your phone with ultrasonics.”
> Okay, but tell me how it can be done if you want me to take the threat seriously.
That is not a precautionary attitude. I don't know how a candle left unattended in the middle of my granite counter island could light anything on fire, there aren't any drapes near it, but I'm not going to leave it unattended so I can find out.
I don't know how this is done, but not everything USB connected is assumed to be a charger. For example the 2FA hardware tokens aren't assumed to be chargers by default. So I imagine this might be done by faking a different device.
The malicious charger can pretend to be keyboard, mouse and screen, and just remote control the phone. Or just a keyboard, if you want to an easier implementation. At least Android phones are completely usable this way, with universal keyboard/mouse support and widespread USB-C display support. Without any confirmation steps.
If a keyboard is the attack vector, what I don't get is: why not suggest people lock their phones and charge them when they're locked? Or maybe even shut them down and charge them before booting. Is there any reason not to suggest those? It certainly seems more practical than telling people they're out of luck, unless there are other attack vectors - in which case, what are they?
Most people use public charging ports are the same ones who want to use their phone while charging.
Physical security is also a consideration, I wouldn't really suggest that people leave their phones plugged into the wall in a public or semi-public place.
What is in the connector? While the only evil usb connectors I have seen are the big ones. Putting evil in and lighting or usb-c should be more than possible.
Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.
There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.
Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
Hmm, if someone is using a phone from a decade ago, they will certainly be vulnerable to evil charging stations, as their battery will almost certainly be extremely tired (then again, phones that old were a lot easier to replace batteries in, so maybe there's some hope).
Anker batteries come in a zillion sizes, are cheap and are safe to plug into public chargers. With how hungry phones are these days, I don't know how people live without portable batteries.
It is almost impossible to drain my iPhone to 0 unless I am doing something really unhealthy, like staring at it for 10 hours. I take a charger with me on trips so I can charge over night, but otherwise.. it's literally not possible in my reasonable life to run my phone out of juice.
Back when I used android, it was much more common that runaway apps would drain my phone in 2 hours. But now? Doing a anker battery would be lugging around a bunch of dead weight.
Especially if your phone isn't new and doesn't hold quite as much charge any longer. I've definitely ended up plugging my phone into a portable battery when traveling. But usually if I'm out and about and using GPS and camera a lot, I'll have some sort of small bag with me for water, snack, additional clothing, etc. anyway so easy to throw a battery and cable in.
If my phone is at risk of running out, I just take my wall charger, find a nice cafe to sit down in and plug in my charger whilst having some lunch. I've never had anyone complain at me about it, although I'm normally buying food and drinks so I'm not just leaching electricity.
Is it the same on sport watches? They seem to easily do 24h when doing GPS tracking. That is the popular models there are watches that can track more than 100h (but they always have bigger batteries). This is impressive for me since I remember doing tracking back in 2005 and that meant using lots of batteries.
On phones I think the problem mainly is that the GPS needs to wake up an app that need to handle the GPS data and then do some calculations. You can easily get data ten times a second that is alot of wake up from sleep, and probably draws lots of CPU.
Yes. same chips. I suspect you’re right - it’s not the GPS itself that’s the problem but waking up the main CPU to run whichever App has requested location data.
The phone’s not always using true GPS (reading satellites.) When it does, it uses more energy. In a difficult environment it scans for more satellites than usual, which uses even more energy.
Basically, the phone’s battery life depends on disabling hardware components, or running them in a low power mode, as much as possible.
I usually go a week between charging. But then again I use my phone for checking and sending messages, not for gaming or browsing the net or anything like that.
For my own needs, carrying a compact foldable GaN power brick like the Anker 511 (or 747, if carrying my laptop) has been sufficient. Sleeping MacBooks also work as extremely fancy extremely high capacity power banks if the need arises, which in the past has covered the odd case where I'm not near an AC outlet.
I'm curious, shouldn't the "charge only" mode, that's the default, when connecting usb stuff to Android phones, be enough to protect users? Is it really that difficult to implement a "don't read data pins, only charge" mode on a phone and not have vulnerabilities in it?
If it’s “just a reset” I still wouldn’t be too worried plugging into an otherwise normally placed public charger. It would obviously suck to have my device reset, especially when traveling, but of course a port could also just fry your device anyway.
If it's just a USB-initiated factory reset, that's much less worrying, just DoS not infiltration. Exploiting that at a busy airport would be a huge nuisance, but not a huge security risk. Just like wiring 110VAC into the USB wires would be a DoS...
USB is a very intelligent protocol, with a microcontrollor on both ends. The controller has access to at least the driver's state, which is usually in the kernel and potentially has access to system memory.
How does your Android phone even know that data is an option to switch into when you plug it into a USB port? It has already negotiated itself to be a device on the USB bus. Your phone will probably show up in lsusb on Linux even in charging mode. (Mine does.) When you switch the phone to data mode, it changes its USB device profile, and becomes a more sophisticated attached device, from the host's perspective.
Many (most?) phones made in recent years can be USB hosts, too. This lets you connect a USB mouse and keyboard to a tablet, for example. That would open you up to all kinds of pretty simple but often quite effective attacks, like simulating a virtual keyboard and mouse and just manipulating the UI that way.
I don't know if any of these particular attacks are possible with Android right now, but many variations on these themes have been shown over the years on many platforms. USB wasn't really designed with adversarial peripherals in mind.
Maybe I'm stupid but what I gather from this is simply that this is a potential vector, not that it is currently an actual possibility. It's akin to saying using Bluetooth is dangerous because theoretically any data on my phone can be extracted through it, while neglecting the fact that the people building a phone OS are clearly aware of that and have built-in countermeasures.
BadUSB emulates a keyboard. So one would want to make sure that the phone was locked before hooking it up to a random charging port. Android exploit demo here:
You phone can only figure out if it’s connected to a known device (your car, your speaker, etc) by asking the data pins. A charge-only mode would “break” usability of the USB port for most users.
android 11 asks me if i want to charge only or also allow data transfer. Is it that we can't trust android to be not be hacked just by checking if data pins exist?
My phone asks me if I am connected to a trusted device and want to share data, asking me rather than asking the device if it is trusted seems to be an effective model.
It's not really. Supposed a nefarious group wants to get ahold of an executives phone who always flies out of LAX or goes to a certain mall and uses a public charger. It would be smart to zero day one of those and if a few extra people are exploited, maybe some bonus bank info.
This is typical hacker movie nonsense. In real life, if they want something from said executive they just kidnap him, threaten violence, and he gives them what they want instantly. Or just knock him out cold from behind, take his shit, and crack into it themselves.
I think it depends on what your goals are. If you want something that executive has and want to deal with the messiness of multiple other crimes, then sure, that'll work.
If you're just passively collecting data and hoping to land 'a' executive or someone else in business with access to power and/or money, or can be used to pivot to someone else, I think it'd be an effective tool.
It's worth noting that Stuxnet was very careful not to even reveal its capabilities if it happened to infect a non-target host. It was still a very targeted attack, and not "everyone had their bank accounts hacked" risk.
(It still infected untargeted PCs, and might have caused them to misbehave, but not intentionally. Stuxnet was designed for stealth, not for mass exploitation. You the average PC owner has very little to fear from such targeted attacks, you're not worth the 0days.)
It's a real shame that the USB standards creators didn't work harder on error-proofing and longevity.
If I were on the standards committee, I would have made every pin interchangeable - ie. any pin can be gnd, any pin can be Vbus, any pin for data, etc. When plugged in, the device on the end would test every pin, and then decide which to use for data and which to use for power.
That way, when a cable gets a bit old and 3 out of 30 pins are shorted or dirty or otherwise bad, the cable works but simply delivers 90% of the power it used to.
The absolute cheapest cables could have just 2 pins, and would be slow and low power, but still fully 'working'.
This wouldn't have added much cost to most devices either - most devices have a dedicated IC for USB functionality, and that IC can deal with muxing signals and power. On devices which only take power, a simple array of diodes can take power from any pin. Data signals could be capacitively coupled, meaning the muxing could be done on a single chip without needing special high voltage silicon processes (the cost of a chip goes up a lot as soon as you want it to deal with high voltages on any pin).
I would imagine that leaving a charger plugged in to a public outlet is not as interesting as you have presented it to be.
Sure, you would be leaving evidence, but if your plan works, that evidence won't be sought out anyway.
If you sent a mysterious package, it wouldn't be strange or out-of-character for someone to investigate that package intentionally: which presents a significant attack surface for the discovery of your ruse.
Here's what you do without leaving obvious chargers dangling out of outlets. You don't need to even send a guy in a maintenance uniform out to the site, or tamper with installed equipment.
You're a decently high-capacity Chinese factory that makes custom USB outlets. You make a "special" line with a zero-day chip or firmware inline with a cable. The cable only needs to be a little fatter to accommodate some unobtrusive electronics. They are slid under the insulation and there is no dedicated PCB that may attract scrutiny.
You wait until the order comes in for the site(s) you wish to target, and you ship them off.
The countermove to this, of course, is that the installer does a fuzz test of the charging station with a few common devices, trying to tickle the bug, and also a protocol analyzer that will inspect the USB data stream for anything out of the ordinary.
My armchair quarterback mind says that the above security testing should be fairly effective if you are dealing with a low-level adversary. A state-sponsored one with sufficiently large enough state would not be hindered by puny countermeasures like that, and would be able to target more accurately.
Here's another countermeasure on the consumer level: optocoupling. This is good to mitigate voltage and amperage damage, even accidental or unintentional types. I suppose it would prevent charging too, but there's got to be something useful about it.
If, and that’s a big if, the victim was able to trace the infection back to a charging port, then have the time, resources, and capability to debug the chips.
That’s all assuming the bad port wouldn’t have been removed, and video might just show regular “maintenance.”
Yeah, it’s all above and beyond, but I think it’s in the realm of possibility for a high level target (see: stuxnet et al)
I've come to think that whatever eventually replaces USB should add some separation between power and data. Let's call it MSB (Multiversal Serial Bus). Maybe something like this.
MSB would define 2 connectors: a data connector and a power connector.
MSB would also specify that if you have both data and power connectors they should be physically laid out in data/power pairs and would define the spacing/positioning (e.g., the power connector should be parallel to the data connector 2 mm apart with the power connector above the data connector).
The idea behind the layout specification is that for applications that need both the power and data connectors you could make cables that include both, with the housing at the ends holding the two connectors fixed so they can treated as a unit when it comes to plugging into things.
The power port would include data line, but they are just used for power negotiation.
The data port would include power, but just a fixed voltage and max current, comparable to pre-high power USB, so for low power peripherals you would just need to use a data port. I.e., for low power peripherals it is pretty much just like USB.
(Apart from very low level USB firmware stack attacks:)
That's a purely software issue, though, and actually easier to solve on phones (with built-in display+input) than on PCs (how to trust a keyboard/mouse without having keyboard/mouse to input approval with?).
I know, that's why I'm so annoyed! And Android is already half-way there; they've already acknowledged that I should be able to control how my phone interacts over USB with a PC, now all that's left is a proactive control that sets the mode for the USB port globally instead of asking my preference in reaction to a device being connected.
>and actually easier to solve on phones (with built-in display+input) than on PCs (how to trust a keyboard/mouse without having keyboard/mouse to input approval with?).
I feel like PCs are less of an issue; I'm not out with my PC at a coffee shop or bus station when suddenly I'm tempted to use the publicly available USB keyboard. At least to me phones and tablets seem like the problematic devices here since charging them (with a wire at least) necessitates connecting them via USB.
That's pretty much USB3-A isn't it? High speed data is separate from power and low speed data. You can have connectors with just one or the other.
Anyway, the world will be worse place with just incremental incompatible tweaks to the so-called "universal" connectors so that they're never universal because of churn. Hopefully USB-C is the end of the line forever, whatever its flaws might be.
> But then your phone will have been with every port your battery pack has been with!
It's unclear to me what this means. I thought it works like this:
- Connect battery pack to USB port
- USB port tries to hack the battery pack, but it's too dumb, so the attempt goes nowhere. The charge flows nicely, though.
- Disconnect battery pack from USB port
- Connect device to battery pack
I don't use public chargers, and I use USB condoms for charging my devices even with chargers I own, because basically all the charging devices are made in untrustable supply chains. I thought this was common knowledge, and basically what everyone is doing. Wireless charging helps a lot with this, and I now prefer wireless charging whenever possible. The only devices I connect my devices to using USB are computers I control, I don't cross-contaminate between computers (e.g. anything plugged into my work laptop will never be plugged into a personal system, and vice versa). This is just basic hardware op-sec with USB.
I have one of these. I like that I can look in it and see that it has no data pins
> Wireless
I know you meant charging, but for data, with some of the spy cables out there with embedded chips and wireless access, it's ironic that wireless is in some ways more secure.
The wireless charging port is an specialized one. That's why it's more secure. The wireless data transfer options vary from "it's broken, forget about it" to actually quite secure, but the charging isn't done through them.
When people decided to use USB for everything, well, they had to make USB support every use case.
Not all usb condoms show the connections. I got one from a well-known vendor at a conference. Seems like an easier attack vector to create and sell malware infested usb condoms…
The FBI investigates industrial cybercrime. They are more likely reporting on what they see in the wild. And it's probably coincidence if the other TLAs are using the techniques.
Some devices don't really operate this way; some of them just try to keep pulling current until they either see voltage start dropping significantly, or they meet the amount of current they need.
Also, you can just put the 'correct' data connections on the phone side (keeping data disconnected on the charger side) and pull up to 5V-3A, no problem assuming the charger can handle it.
The way USB high power charging works is that unless the charger and the device agree on high power the charger just charges at the older pre-high power USB rate. That's why you can plug ancient devices into a high power charger without worry that they will get fried.
The way the charger and the device agree on how much power the charger should supply involves the data lines.
Thus, if you simply drill out the data lines leaving just the power lines as the person a few comments up suggested a properly functioning high power charger will see your device as only supporting the original USB power spec.
I suspect that those things you linked to are active USB devices. The USB port on the charge side has the data lines connected and uses them to negotiate high power from the charger. The USB port on the device side similarly has the data lines connected and uses them to negotiate high power with the device.
It protects the device because the data lines on the charger side are not connected to the data lines on the device side.
From what I’ve read, USB-A only had one pair of data pins and needed them to negotiate power delivery, but USB-C does not because it has a new configuration channel pin on each side (which is also used to negotiate modes for the many new data pairs, and detect being upside down).
A 24-pin “serial bus” might be getting a little crazy.
For the true paranoids, your battery bank also runs firmware...
But realistically, a battery bank seems like an even better solution than a dedicated "USB condom"; it'll even protect you from "USB killer" attacks that inject high voltage to the ports, by frying just the power bank not the real device.
It's more bulky than just a dedicated cable, though.
We badly need a DC electrical plug/jack standard that doesn't play double-duty as a data transmission standard. Innumerable small appliances and devices use DC power, solar panels make DC power, yet if you want to charge such devices you have to go through a DC->AC->DC conversion, or use USB which can evidently pwn your devices. What a sorry state of affairs.
We know (I think?) attackers can apparently easily introduce MitM skimmers to credit card swipers (I _think_ that's how my CC number keeps getting stolen?), possibly even without cooperation of the proprietor? Why not a little invisible injector on a charging port, that seems if anything easier.
Or is the skepticism around something else, I guess? Motivation? Lack of consistency over time of attack vectors around software injection via USB making it hard to commodify the attack? Like, there are only temporary zero days now and then which get patched, so this isn't a "cheap" thing to deploy on a wide scale?
[edit no idea why i'm getting downvoted on this, perhaps I didn't write it right but I'm legit just curious to hear people's takes on this, what reasons he might have been thinking of to not worry about this...]
And immediately after he says he's unconvinced this is a concern, he states that he does, in fact, carry a tool with him that would protect him in these circumstances.
In general, you can be unconvinced that various things are actually a meaningful real-world danger, but you choose to mitigate against them anyway if you can do so easily.
He also mentions that he only uses said tool with "charging stations I find suspicious". Which is very curious, because I would assume an attacker who is willing to risk burning such an attack would make sure their charging station is looking the least suspicious and most ordinary.
I'm not sure if "find suspicious" is a good heuristic here. Although of course we don't know what he bases his suspicion on.
It does add a slight extra layer in that they have to both have a compromise for whatever chip is controlling your bank and a compromise for whatever phone is attached which is more difficult to pack into a small controller chip. Although I'm willing to be a lot of power bank controllers are similar across the market which narrows that difficulty.
Same with Android, the various fast charging protocols use the data pins to negotiate the voltage setting and how much current the phone is allowed to draw. I suppose in theory you could make an active dongle which MITMs the data pins and strips anything it doesn't recognise as a valid fast charging command, but I don't know if such a product exists.
Except you are stuck with slower charging speeds. Usually in the places you most want fast charging but have the least trust (random public charging spots)
Most users, most of the time, will trade speed for security.
I'v been wondering about the implications of free wifis within airports or such - how much that would be of a worry given you connect only to TLS secured services (and hopefully the phone does it too for every service it connects to in background)
Personally...I run a Linode VPN with openvpn on it listening on port 443.
Anytime I am on an public wifi or untrusted network (including the occaisonal time at my job with a personal device), i connect to that. Since its 443, its generally not blocked, even through the TLS connection is not "standard" because it uses a 2048 bit PSK to as a pre-cursor to start a connection, then a certificate based auth to establish the tunnel.
Its a full tunnel as well so all traffic runs through it. Google/Youtube will sometimes pitch fits and make me do captchas but otherwise its an easier way to shield from stuff like that.
All the wifi provider sees in that case is a single connection to my linode.
Admittedly this is a pretty technical solution though and requires some configuring. Mullvad would probably be an easier option with plenty of endpoints to jump through. Or you can run Tailscale and use SSH/socks proxies, though things like DNS leakage can still occur there.
I will use SSH tunnels and socks proxies for certain browsers that are configured to not store any data locally as well (ie: Firefox). I justify it easily in that I am constantly testing services and sometimes its best to rule out routing, BGP or other low level network issues and using ssh -D 12345 somethign@someplace allows me to do just that in isolated circumstances.
The thing is though, im not trying to hide the fact I am on OpenVPN. Simple inspection of the handshake tells you EXACTLY what it is. But thats generally not the issue.
The issue is many will simply block UDP or the default port 1194 or basically anything other than a handful of outbound ports, of which 443 outbound is almost never actually blocked for obvious reasons. In fact I cant think of a single time I havent been able to use that VPN, even when my normal road-warrior profile to my house IS blocked.
Either way there are ways are ways to mask the fact that its clearly OpenVPN that if your issue is nation-states or things like the Great Firewall like Obfsproxy, but even then, something like Mullvad would be called for since you are likely going to need an array of endpoints.
Im just trying to ensure my traffic is running through a trusted source until the point that its supposed to him the open internet. Things like DNS filtering are getting more pervasive. For me that means I want to know the endpoint until I am ready for it to egress.
I have also had this setup for years at this point. Before tailscale or even hearing of things like mullvad. But I work in IT, so its one of those things that makes others that dont work in tech look at me funny if they see it.
sites are protected
not only wity TLS but also HSTS and the list goes on.
Wi-Fi doesn't include sturdy security mecanisms anyway, so wifi is never safe.
Companies that are serious about network security are recommended to use a second factor, like a VPN, especially on their company network (because they always have ressources that lack protection)
For customers and individuals like us, sites are safe enough not to do that (unless you host your own services)
So the only thing PPL can do on public networks is maybe fingerprinting, and tracking the whereabouts of your devices accross the place (Especially in airports like Istanbul where you need to swipe your passport in a machine to get a wifi code)
But that doesn't prevent me from going to Discord and HN and do banking over public networks.
if HSTS is implemented properly, it won't just report an error, but it will also forbid any connection.
For example, on Firefox, you can't bypass an HSTS error. The browser won't let you add an exception to connect to the site. (you have to purge your data to connect again 'for the first time' on the site)
The race of media, ad, and other companies for one's attention and data is brutal. Especially when one is stuck in a seat for hours and only has a back of another seat in front of their face.
There are small adapters which disconnect the data lines. I use one of those to connect my phone to my car so that it only charges but avoids my car to want to add it as an external storage for the entertainment system.
I mean, if they fry the device I think that's going to both be an acceptable risk (annoying but not breached), and also likely to be detected rapidly -- "Shit my device is fucked, better tell airport staff"
> likely to be detected rapidly -- "Shit my device is fucked, better tell airport staff"
It's not charging - but maybe it was just a problem with that port on your laptop. Better try the charger in every one of your laptop's USB-C ports, just in case....
Has there been any kind of attack actually detected that goes through this vector? This has been infosec lore for as long as USB charging and smart phones have been a thing but I've never really heard of it actually being used.
I mean as an actual attack not a product that could execute a similar attack. IE an instance where a public charger has been detected or caught attempting to infect phones.
Most people don't have those because USB-C Power Delivery requires data pins to negotiate fast charging. I think it's required to get anything beyond the basic 5V .5A power out of a USB socket these days.
“Dear citizens, please be wary of attacks on your devices designed to compromise your privacy and personal information. It would be unfortunate if we had competition in the game.”
It's always been a competing priorities inside the government between groups improving security so that commerce and secrets stay secret and safe and other groups who's priorities are more generalized security that would love to snoop into everyone all the time.
iOS attempts to do this but if we’re following the assumption of such an attack it would just be seen as a step in the chain of the attack. I think the likelihood of an attack via this method is incredibly low personally.
Though I always have a power bank on hand, not for security, but for convenience. Much more preferable to the physical limitations of a wall outlet.
real usage per second, per minute, not theoretical
can the charging stations resume data transfer if i unplug and replug at random times ?
i dunno, when i want to dump gb of data from my phone, it takes hours ... so yeah maybe i should stay at a random charging station for hours to ensure all data transfered :D
USB in general specifies negotiation for charging, regardless of the connector. But most chargers are too lazy to implement the negotiation and instead just always provide their maximum amperage, so something with no data wires should work regardless.
pro tip: if absolutely necessary at least only charge your power bank on a public charger and then charge the phone on the power bank but not at the same time.
This might be a big advantage for wireless charging. Although it can be slower than a USB charger, there is no risk that it will be doing something other than charging.
Or just replace them with electrical outlets. Why we are using high-risk systems in public infrastructures when low-tech, low-risk systems exist is beyond me.
You can provide a lot more USB outlets than it's feasible to provide regular AC outlets. If they're USB A outlets you know they're only ever going to draw 7.5W give or take max so you can slap many more of them on a single circuit than you can AC outlets where people could plug in a bunch of 60+W laptops or USB-C PD chargers.
Firstly, I believe the QI scheme includes a process for communication, mostly restricted to "how much power should I send" for now, but it's obvious this will be expanded to more functionality as people basically replicate NFC over it.
Second, I'm still waiting to see a QI charger than just pumps 100W of power straight through any piece of metal above it. Don't know what would happen, but I naively imagine forced induction would brick most devices.
As I understand it, Qi has a digital communication channel from the phone to the charger but no digital communication from charger to phone. So any exploit over Qi would have to somehow compromise the phone’s charging system with just analog field variations (frequency, field strength, or whatever else the phone measures).
Hard disagree. If physical proximity was all it took to compromise a phone everyone would immediately protest.
USB requires an active action. Blaming the user is still wrong, it really should be safe to charge in a mall or get a file from your friends usb stick. But it's less obvious so here we are.
As most phones now have NFC, this would be more of a new vector than a safer procedure IMO.
I am not sure how many places properly accept non authentified (no phone unlock nor biometrics) contactless transaction in the US, but it's a thing at least in Japan.
I'd also assume the non secure area is readable without any unlock either way, but might be wrong.
You can do unauthenticated with your watch assuming you’ve authenticated it at least once and haven’t removed your watch from your wrist since. Also, you can unlock your car with with your phone unauthenticated, or even if the battery is out.
Just FYI: this is referring to USB charging stations, not EV stations.
This advice has been standard in cybersecurity training for a long time now and frankly I'm surprised that this is the first time the FBI has felt the need to issue an advisory on the subject.
I have been somewhat curious if/when this will occur with EV stations as well. What controls might one gain over a car from the charging port on the assorted makes/models? Even hacking aside I am curious what PII, telemetry and tracking data could be pulled from the charge port.
At least on AC Level 1/2 charging (using just a J1772 port) the signalling is pretty rudimentary if I remember correctly. Something along the lines of the car puts out a square wave on one of the signalling pins and based on the resistance it sees it knows whether it's plugged in and how much power it can charge, so there isn't much room (dare I say any) way to interact much with the car through that port. I don't know how DC charging works but I assume there's a little bit more smarts to it. Tesla on the other hand is a completely different story.
The really high voltage fast chargers as far as I understand them connect directly to the battery bypassing the cars battery charger to directly charge the battery not sure how much communication there is on those channels though.
You're probably thinking about the on-board inverter, it's often referred to as a battery charger. The battery management system is entirely within the car, and the car will tell what voltage and amperage to deliver to it.
The design of CCS2 is actually quite nice. There are pins for singalling that, if broken, will immediately shut down power delivery. This means that you can just pull the cable out safely, without risking arcing or electrocuting yourself.
When I've done DC rapid charging on my Leaf, I noticed that the charger knew the battery percentage reported by the car. That seems likely to be digital signalling to me, so suddenly there's the risk of buffer overflows and suchlike.
I've not seen this on AC, but when I looked into this previously I got the impression that there exists a digital signalling protocol established by modulating something ignored by older cars and chargers that can be optionally supported. If that's the case then there's potentially attack surface there, too.
The CCS standard has "HLC - High Level Communication", which is available for both AC and DC charging. While i'm not interested in paying $700 for ISO 15118, I imagine clients [cars] are set up to break the current flow if anything out of the ordinary happens or if the input power doesn't match what the station is saying it's sending in an instant.
I wonder if dealerships and other auto shops behave like every other company today, and when they plug into your OBD2 port they just hoover up as much data as they can and sell it off.
It is not the first time the FBI has warned about this (see [0] for example, or do a Google search with date filters).
This is the Denver field office maximizing Twitter engagement by repeating themselves. (Maybe that is not a fair way to view it, maybe the FBI should repeat advisories often.)
I agree - the only "public charging stations" I see on any kind of regular basis are EV charging stations. It's been a couple of decades since I remember seeing a USB one, not that I doubt their existence.
They're ubiquitous at conferences and in many trains, planes, airports, hotels, etc. Maybe you mean something different by public but USB charging stations that you don't control are very common especially in the context of places travelers are in. They're probably pretty common in schools, libraries, conference rooms, etc. as well.
I thought it was a wild clickbait and didn't even go to read the article.
I read it as "EVs are dangerous according to the FBI, use V12 engines to avoid hackers"
but yeah, public charging stations *for phones* are terrible.
I used one of them once at a conference, with ADB enabled on my phone.
I thought it would just feed me power, as not data collection was specified on the station.
but it enabled a data connection.
So I used a public station once, and I'll never do it again.
