It really surprised me when this article blew up on Twitter as I thought it was common knowledge to never use public chargers and avoid untrusted usb anything after “bad usb”. It showed me how I live in a tech security bubble-a good reminder.
Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
I've had booths on cyber security trade fairs hand out USB flash drives as prizes for spinning a wheel, with no awareness how that might seem odd. I guess people would be reluctant to accept them at BlackHat, but everywhere else people are very trusting towards USB stuff.
> Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
Yes, I was in the hospital waiting room recently and they had a charging station with each type of available cable.
I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".
The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.
To be fair I also didn't know for a long time that HDMI is not a trustworthy port and can be used to spread malware [0]. And I'm usually not thinking about that when plugging my laptop to a projector.
Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.
USB defaults to 5v if there is no negotiation, and it is said that many devices will draw 1a under these circumstances (even though technically the spec says they should expect less) -- it's the standard low speed charging that you'd get plugging your device into a dollar store charger.
Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.
I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
I try to always travel with a “USB data condom”. The one I have is called a “PortaPow”, and it’s red. It was about $10 on Amazon and it’s a great investment for scenarios where I _reasonably_ trust a power-only USB port not to have been tampered with, like the built in ports on aircraft.
I probably would have guessed that software vulnerabilities were rare for just plugging your smartphone into a USB port (without some additional user approval on the device). Obviously a port could probably be easily configured to just fry your jack/device but that’s not a big part of my threat model anyway.
You would have guessed wrong. Most devices, especially multi-vendor android devices, have exploitable subsystems which never touch the UI visible OS layer.
I lately had trouble convincing some non-tech acquaintances that IoT "cloud-enabled" cameras all over their house (including bedroom) as anti-break-in measure are a bad idea as those devices or the storage in some chinese cloud could be hacked. They ridiculed this as "far fetched".
I'll never be able to bring up this risk with USB to those guys.
Getting a phone with a large enough battery (>5000mAh) is good opsec. I have a 10000 mAh battery in my phone, and I only need to charge about twice a week.
I'm seeing a lot of hysteria in response to this random tweet by the Denver FBI's social media person.
Do we know of a single real-world use of this hypothetical exploit? Do we know that iOS's (and presumably Android's) protection against untrusted device access isn't enough?
Can you elaborate on this? What kind of phone? Android or iOS? Fully patched? What kind of infection? How did you discover it? How did you get rid of it?
It just doesn't seem like a plausible hack when you take in all the circumstances that have to line up correctly:
1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
It just seems like alot of work for something that in all likelyhood would not work.
None of these are necessary, except half of #2. All you'd need is a "middleman" device that is subtle enough to avoid notice by the person plugging in, just like how credit card skimmers work.
> 1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
Doesn't matter, because you're (unwittingly) plugging into the attacker's device, not the station's.
> 2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
You don't need to "inject" anything; you just need to physically place it between the user and the actual port and disguise it enough that people not paying attention won't notice. Or even just put a fake "charging station" in a place that the station didn't have one.
> 3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
People are plugging in their phone so they can use it. They'll plug in the phone, unlock it, and browse the internet. What can't you do in that situation?
More practically, you visit a place that has public chargers, you study them and create a compromised clone, and then you swap out the real one. Like card skimmers.
We do know of shady companies that sell "own this phone" USB devices to governments, but AFAIK they only sell to governments and the details aren't available to the public.
I have never heard about a non-government sponsored attacker doing that kind of thing. If this is relevant or not to you, it's a matter of your threat model. If I were a journalist, I would be very weary. Personally, I don't plug my phone on random outlets and don't plug random devices on my computers, but it's clearly an overreaction.
Heh, if I'm remembering right, a couple of years ago there was a public charging station at DEFCON that was sponsored by the NSA. I did not plug my phone into it :D
Usually the risk for something like is that if there's some unexploited bug in the USB stack or the OS. Which, from what I know from writing software, I don't trust shit.
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
Wouldn't this be considered the same attack? Users would connect the cable, unlock their phone, and then would need to explicitly "Trust" the external device attempting to connect to their phone via USB.
I suppose the difference is that people may be using the cable to connect to a device where that prompt is expected, in contrast to the "charging port in an airport" scenario where it would seem appropriately alarming.
Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."
I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
> I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
Okay, but tell me how it can be done if you want me to take the threat seriously. You could also say “always store your phone in a sound-isolating container because attackers can hack your phone with ultrasonics.”
I don't know how this is done, but not everything USB connected is assumed to be a charger. For example the 2FA hardware tokens aren't assumed to be chargers by default. So I imagine this might be done by faking a different device.
The malicious charger can pretend to be keyboard, mouse and screen, and just remote control the phone. Or just a keyboard, if you want to an easier implementation. At least Android phones are completely usable this way, with universal keyboard/mouse support and widespread USB-C display support. Without any confirmation steps.
Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.
There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.
Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
Hmm, if someone is using a phone from a decade ago, they will certainly be vulnerable to evil charging stations, as their battery will almost certainly be extremely tired (then again, phones that old were a lot easier to replace batteries in, so maybe there's some hope).
Anker batteries come in a zillion sizes, are cheap and are safe to plug into public chargers. With how hungry phones are these days, I don't know how people live without portable batteries.
It is almost impossible to drain my iPhone to 0 unless I am doing something really unhealthy, like staring at it for 10 hours. I take a charger with me on trips so I can charge over night, but otherwise.. it's literally not possible in my reasonable life to run my phone out of juice.
Back when I used android, it was much more common that runaway apps would drain my phone in 2 hours. But now? Doing a anker battery would be lugging around a bunch of dead weight.
I usually go a week between charging. But then again I use my phone for checking and sending messages, not for gaming or browsing the net or anything like that.
For my own needs, carrying a compact foldable GaN power brick like the Anker 511 (or 747, if carrying my laptop) has been sufficient. Sleeping MacBooks also work as extremely fancy extremely high capacity power banks if the need arises, which in the past has covered the odd case where I'm not near an AC outlet.
I'm curious, shouldn't the "charge only" mode, that's the default, when connecting usb stuff to Android phones, be enough to protect users? Is it really that difficult to implement a "don't read data pins, only charge" mode on a phone and not have vulnerabilities in it?
If it’s “just a reset” I still wouldn’t be too worried plugging into an otherwise normally placed public charger. It would obviously suck to have my device reset, especially when traveling, but of course a port could also just fry your device anyway.
If it's just a USB-initiated factory reset, that's much less worrying, just DoS not infiltration. Exploiting that at a busy airport would be a huge nuisance, but not a huge security risk. Just like wiring 110VAC into the USB wires would be a DoS...
You phone can only figure out if it’s connected to a known device (your car, your speaker, etc) by asking the data pins. A charge-only mode would “break” usability of the USB port for most users.
android 11 asks me if i want to charge only or also allow data transfer. Is it that we can't trust android to be not be hacked just by checking if data pins exist?
My phone asks me if I am connected to a trusted device and want to share data, asking me rather than asking the device if it is trusted seems to be an effective model.
It's not really. Supposed a nefarious group wants to get ahold of an executives phone who always flies out of LAX or goes to a certain mall and uses a public charger. It would be smart to zero day one of those and if a few extra people are exploited, maybe some bonus bank info.
This is typical hacker movie nonsense. In real life, if they want something from said executive they just kidnap him, threaten violence, and he gives them what they want instantly. Or just knock him out cold from behind, take his shit, and crack into it themselves.
I've come to think that whatever eventually replaces USB should add some separation between power and data. Let's call it MSB (Multiversal Serial Bus). Maybe something like this.
MSB would define 2 connectors: a data connector and a power connector.
MSB would also specify that if you have both data and power connectors they should be physically laid out in data/power pairs and would define the spacing/positioning (e.g., the power connector should be parallel to the data connector 2 mm apart with the power connector above the data connector).
The idea behind the layout specification is that for applications that need both the power and data connectors you could make cables that include both, with the housing at the ends holding the two connectors fixed so they can treated as a unit when it comes to plugging into things.
The power port would include data line, but they are just used for power negotiation.
The data port would include power, but just a fixed voltage and max current, comparable to pre-high power USB, so for low power peripherals you would just need to use a data port. I.e., for low power peripherals it is pretty much just like USB.
That's pretty much USB3-A isn't it? High speed data is separate from power and low speed data. You can have connectors with just one or the other.
Anyway, the world will be worse place with just incremental incompatible tweaks to the so-called "universal" connectors so that they're never universal because of churn. Hopefully USB-C is the end of the line forever, whatever its flaws might be.
Readit News
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
This is the solution to that problem:
https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00...
https://www.amazon.com/PortaPow-NA-USB-C-Data-Blocker/dp/B08...
https://www.amazon.com/PortaPow-Data-Blocker-USB-C-Converter...
I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".
The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.
I wonder whether you‘d take similar precautions on a site named Hacker News
Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.
[0] https://news.ycombinator.com/item?id=31828193
Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.
I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
I’d like to just rely on my device to protect me by asking if I want to trust the device.
I'll never be able to bring up this risk with USB to those guys.
Edit: IoC typo -> IoT
Do we know of a single real-world use of this hypothetical exploit? Do we know that iOS's (and presumably Android's) protection against untrusted device access isn't enough?
More details?
1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
It just seems like alot of work for something that in all likelyhood would not work.
> 1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
Doesn't matter, because you're (unwittingly) plugging into the attacker's device, not the station's.
> 2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
You don't need to "inject" anything; you just need to physically place it between the user and the actual port and disguise it enough that people not paying attention won't notice. Or even just put a fake "charging station" in a place that the station didn't have one.
> 3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
People are plugging in their phone so they can use it. They'll plug in the phone, unlock it, and browse the internet. What can't you do in that situation?
I have never heard about a non-government sponsored attacker doing that kind of thing. If this is relevant or not to you, it's a matter of your threat model. If I were a journalist, I would be very weary. Personally, I don't plug my phone on random outlets and don't plug random devices on my computers, but it's clearly an overreaction.
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
I suppose the difference is that people may be using the cable to connect to a device where that prompt is expected, in contrast to the "charging port in an airport" scenario where it would seem appropriately alarming.
Dead Comment
Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."
I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
Okay, but tell me how it can be done if you want me to take the threat seriously. You could also say “always store your phone in a sound-isolating container because attackers can hack your phone with ultrasonics.”
Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.
There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.
Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
See also: the Bonobo JTAG/SWD debugging cable over Lightning. https://shop.lambdaconcept.com/home/37-bonobo-debug-cable.ht...
(While this 'technically' requires extra device flags, it's still the fact that Lightning has lots of hidden modes underneath its multiplexer.)
"Can't install this shady pirated software you got from a malware-adjacent site? Try disabling your antivirus!"
Back when I used android, it was much more common that runaway apps would drain my phone in 2 hours. But now? Doing a anker battery would be lugging around a bunch of dead weight.
If you want data safety, you must skip the data pins.
If you want current safety, you must skip public chargers.
Many people would use them, assuming they were just mis-shipped or ordered by their spouse.
https://www.eff.org/deeplinks/2019/09/watering-holes-and-mil...
Dead Comment
MSB would define 2 connectors: a data connector and a power connector.
MSB would also specify that if you have both data and power connectors they should be physically laid out in data/power pairs and would define the spacing/positioning (e.g., the power connector should be parallel to the data connector 2 mm apart with the power connector above the data connector).
The idea behind the layout specification is that for applications that need both the power and data connectors you could make cables that include both, with the housing at the ends holding the two connectors fixed so they can treated as a unit when it comes to plugging into things.
The power port would include data line, but they are just used for power negotiation.
The data port would include power, but just a fixed voltage and max current, comparable to pre-high power USB, so for low power peripherals you would just need to use a data port. I.e., for low power peripherals it is pretty much just like USB.
Deleted Comment
Why doesn't my device today have an option that allows me to set the USB port to "power only"?
Anyway, the world will be worse place with just incremental incompatible tweaks to the so-called "universal" connectors so that they're never universal because of churn. Hopefully USB-C is the end of the line forever, whatever its flaws might be.