It really surprised me when this article blew up on Twitter as I thought it was common knowledge to never use public chargers and avoid untrusted usb anything after “bad usb”. It showed me how I live in a tech security bubble-a good reminder.
Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
I've had booths on cyber security trade fairs hand out USB flash drives as prizes for spinning a wheel, with no awareness how that might seem odd. I guess people would be reluctant to accept them at BlackHat, but everywhere else people are very trusting towards USB stuff.
I take free USB drives any day. I always test them on the pc that belongs to the coworker that nobody likes first though ;)
In all seriousness though - 128gb usb 3.0 drives can be picked up for $10 on sale all day long. Absolutely no reason to trust some $0.25 random 4gb that a stranger gave you aside from running R-studio on it for fun or something.
I once worked at a place where the security team had a USB stick delivered to all the desktops with some digital brochure about not trusting strangers or some such. Not the cyber security team, but still.
We send staged phishing emails internally to see who takes the bait.
Leaving USB sticks lying around with some sort of callback to see who plugs them in is a really clever idea. We could probably catch the serial number range in Defender ATP.
> Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
If you're already committed to carrying Yet Another Accessory, then why not just carry a small portable charging battery. Some models are not much larger than that USB connector, and could charge the phone more than sitting babysitting a charging phone for an hour.
Yeah, I normally carry bigger portable batteries but I've got a bunch of small ones that I've typically been given by vendors which are probably good for at least getting a phone off life support.
Yes, I was in the hospital waiting room recently and they had a charging station with each type of available cable.
I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".
The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.
Android asks me if I want to have a device to allow access, This probably prevents attacks against the upper layer protocols. Is the risk vector here the USB stack itself?
I think its possible to disable the USB 'protocol' in Linux, but it would require advanced permissions on android, which probably doesn't work out of the box, with IOS who knows or cares.
This is a joke, but it could actually be a thing. An isolator that you can use to protect your device while using those unknown ports. I would call it an isolator though, or firewall, not what you called it.
Also now USB-C condom is also available, It was an issue since USB-C used data lines to negotiate voltage and I was tracking its need on my problem validation for a while now[1].
I'm not completely sure, I read on reddit that USB-C condom has some form of proxy circuit to negotiate voltage; I hope someone with better knowledge in this can explain it better.
You can even make a type of them yourself with rudimentary equipment, by cutting the data lines and connecting/not cutting the power lines. I believe you will lose the ability to negotiate faster charging, and I don't know if USB-C will work at all, but it still works otherwise.
So far, web standards don’t support online supply of direct (constant) current, alternating (sine wave) current, they can only provide imaginary (square root of stealing your) current.
So you can’t trust any site for power.
—-
Although teleporting power Via quantum entanglement has been demonstrated as possible given a line of communication.
So crazily, “power over data” may happen one day.
Perhaps, we can all look forward to hackers draining our last 1% of battery power as a reward for not using end-to-end power encryption.
I still get the occasional popup that gets past AdGuard on my phone and tries to add spam to my calendar on my iPhone but it’s definitely a lot better than it used to be. I got one a few months ago that had instructions on installing a custom management profile, now that cracked me up.
If you've spent any time on here you know that no one actually clicks the links to read the article. Users need only trust the pages with an orange header.
I mean the upstream comment is basically saying don't trust clicking any links on the Internet--even on a site that presumably weeds out really dodgy stuff quickly. Indeed, not using the Internet is a solid, if rather extreme, security process to follow.
The thing about Reddit is that it has greater "discoverability" through search, profiles and algorithmic "hot" pages, so communities like that inevitably become swamped with low quality posts. There's a few niche subs that just degenerated into posting photos of purchases that arrived in the mail today instead of actually discussing the use of the tools.
To be fair I also didn't know for a long time that HDMI is not a trustworthy port and can be used to spread malware [0]. And I'm usually not thinking about that when plugging my laptop to a projector.
Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.
USB defaults to 5v if there is no negotiation, and it is said that many devices will draw 1a under these circumstances (even though technically the spec says they should expect less) -- it's the standard low speed charging that you'd get plugging your device into a dollar store charger.
Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.
I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
I try to always travel with a “USB data condom”. The one I have is called a “PortaPow”, and it’s red. It was about $10 on Amazon and it’s a great investment for scenarios where I _reasonably_ trust a power-only USB port not to have been tampered with, like the built in ports on aircraft.
Build condoms into the devices themselves via a next USB spec requiring a hardware switch to choose power-only / power+data and these kind of issues could disappear. Apple might hate it though. Then again, capacitive hardware switches could be ok.
> _reasonably_ trust a power-only USB ... like the built in ports on aircraft.
I'm with you, this might fall under "safe". Then again, from threads posted here and elsewhere, and through personal investigation...the infotainment systems on airplanes are an absolute disaster with regards to security and software design. They're often part of the same system as the provided USB ports. While the risk is small, there's nothing stopping 1 person from running a script that exploits some flaw in the outdated Linux distro the airline is using to manage their in-flight entertainment.
There's also a chance I'm paranoid and spend too much time here, but I'm gonna stick with my Altoids.
The one I have is designed to allow you to visually inspect the connector terminals. So at least regarding my (USB-A) ones, I can confirm only the power lanes exist.
I probably would have guessed that software vulnerabilities were rare for just plugging your smartphone into a USB port (without some additional user approval on the device). Obviously a port could probably be easily configured to just fry your jack/device but that’s not a big part of my threat model anyway.
You would have guessed wrong. Most devices, especially multi-vendor android devices, have exploitable subsystems which never touch the UI visible OS layer.
I lately had trouble convincing some non-tech acquaintances that IoT "cloud-enabled" cameras all over their house (including bedroom) as anti-break-in measure are a bad idea as those devices or the storage in some chinese cloud could be hacked. They ridiculed this as "far fetched".
I'll never be able to bring up this risk with USB to those guys.
Getting a phone with a large enough battery (>5000mAh) is good opsec. I have a 10000 mAh battery in my phone, and I only need to charge about twice a week.
