It really surprised me when this article blew up on Twitter as I thought it was common knowledge to never use public chargers and avoid untrusted usb anything after “bad usb”. It showed me how I live in a tech security bubble-a good reminder.
Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
To be fair I also didn't know for a long time that HDMI is not a trustworthy port and can be used to spread malware [0]. And I'm usually not thinking about that when plugging my laptop to a projector.
Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.
Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.
I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
I probably would have guessed that software vulnerabilities were rare for just plugging your smartphone into a USB port (without some additional user approval on the device). Obviously a port could probably be easily configured to just fry your jack/device but that’s not a big part of my threat model anyway.
I lately had trouble convincing some non-tech acquaintances that IoT "cloud-enabled" cameras all over their house (including bedroom) as anti-break-in measure are a bad idea as those devices or the storage in some chinese cloud could be hacked. They ridiculed this as "far fetched".
I'll never be able to bring up this risk with USB to those guys.
Getting a phone with a large enough battery (>5000mAh) is good opsec. I have a 10000 mAh battery in my phone, and I only need to charge about twice a week.
I'm seeing a lot of hysteria in response to this random tweet by the Denver FBI's social media person.
Do we know of a single real-world use of this hypothetical exploit? Do we know that iOS's (and presumably Android's) protection against untrusted device access isn't enough?
It just doesn't seem like a plausible hack when you take in all the circumstances that have to line up correctly:
1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
It just seems like alot of work for something that in all likelyhood would not work.
We do know of shady companies that sell "own this phone" USB devices to governments, but AFAIK they only sell to governments and the details aren't available to the public.
I have never heard about a non-government sponsored attacker doing that kind of thing. If this is relevant or not to you, it's a matter of your threat model. If I were a journalist, I would be very weary. Personally, I don't plug my phone on random outlets and don't plug random devices on my computers, but it's clearly an overreaction.
Usually the risk for something like is that if there's some unexploited bug in the USB stack or the OS. Which, from what I know from writing software, I don't trust shit.
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."
I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
I don't know how this is done, but not everything USB connected is assumed to be a charger. For example the 2FA hardware tokens aren't assumed to be chargers by default. So I imagine this might be done by faking a different device.
Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.
There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.
Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
Anker batteries come in a zillion sizes, are cheap and are safe to plug into public chargers. With how hungry phones are these days, I don't know how people live without portable batteries.
It is almost impossible to drain my iPhone to 0 unless I am doing something really unhealthy, like staring at it for 10 hours. I take a charger with me on trips so I can charge over night, but otherwise.. it's literally not possible in my reasonable life to run my phone out of juice.
Back when I used android, it was much more common that runaway apps would drain my phone in 2 hours. But now? Doing a anker battery would be lugging around a bunch of dead weight.
I usually go a week between charging. But then again I use my phone for checking and sending messages, not for gaming or browsing the net or anything like that.
For my own needs, carrying a compact foldable GaN power brick like the Anker 511 (or 747, if carrying my laptop) has been sufficient. Sleeping MacBooks also work as extremely fancy extremely high capacity power banks if the need arises, which in the past has covered the odd case where I'm not near an AC outlet.
I'm curious, shouldn't the "charge only" mode, that's the default, when connecting usb stuff to Android phones, be enough to protect users? Is it really that difficult to implement a "don't read data pins, only charge" mode on a phone and not have vulnerabilities in it?
You phone can only figure out if it’s connected to a known device (your car, your speaker, etc) by asking the data pins. A charge-only mode would “break” usability of the USB port for most users.
I've come to think that whatever eventually replaces USB should add some separation between power and data. Let's call it MSB (Multiversal Serial Bus). Maybe something like this.
MSB would define 2 connectors: a data connector and a power connector.
MSB would also specify that if you have both data and power connectors they should be physically laid out in data/power pairs and would define the spacing/positioning (e.g., the power connector should be parallel to the data connector 2 mm apart with the power connector above the data connector).
The idea behind the layout specification is that for applications that need both the power and data connectors you could make cables that include both, with the housing at the ends holding the two connectors fixed so they can treated as a unit when it comes to plugging into things.
The power port would include data line, but they are just used for power negotiation.
The data port would include power, but just a fixed voltage and max current, comparable to pre-high power USB, so for low power peripherals you would just need to use a data port. I.e., for low power peripherals it is pretty much just like USB.
I don't use public chargers, and I use USB condoms for charging my devices even with chargers I own, because basically all the charging devices are made in untrustable supply chains. I thought this was common knowledge, and basically what everyone is doing. Wireless charging helps a lot with this, and I now prefer wireless charging whenever possible. The only devices I connect my devices to using USB are computers I control, I don't cross-contaminate between computers (e.g. anything plugged into my work laptop will never be plugged into a personal system, and vice versa). This is just basic hardware op-sec with USB.
We badly need a DC electrical plug/jack standard that doesn't play double-duty as a data transmission standard. Innumerable small appliances and devices use DC power, solar panels make DC power, yet if you want to charge such devices you have to go through a DC->AC->DC conversion, or use USB which can evidently pwn your devices. What a sorry state of affairs.
We know (I think?) attackers can apparently easily introduce MitM skimmers to credit card swipers (I _think_ that's how my CC number keeps getting stolen?), possibly even without cooperation of the proprietor? Why not a little invisible injector on a charging port, that seems if anything easier.
Or is the skepticism around something else, I guess? Motivation? Lack of consistency over time of attack vectors around software injection via USB making it hard to commodify the attack? Like, there are only temporary zero days now and then which get patched, so this isn't a "cheap" thing to deploy on a wide scale?
[edit no idea why i'm getting downvoted on this, perhaps I didn't write it right but I'm legit just curious to hear people's takes on this, what reasons he might have been thinking of to not worry about this...]
[+] [-] mtillman|2 years ago|reply
[+] [-] ghaff|2 years ago|reply
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
[+] [-] alpaca128|2 years ago|reply
Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.
[0] https://news.ycombinator.com/item?id=31828193
[+] [-] cuttysnark|2 years ago|reply
Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.
I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
[+] [-] tshaddox|2 years ago|reply
[+] [-] Waterluvian|2 years ago|reply
I’d like to just rely on my device to protect me by asking if I want to trust the device.
[+] [-] pl90087|2 years ago|reply
I'll never be able to bring up this risk with USB to those guys.
Edit: IoC typo -> IoT
[+] [-] ok123456|2 years ago|reply
[+] [-] CharlesW|2 years ago|reply
Do we know of a single real-world use of this hypothetical exploit? Do we know that iOS's (and presumably Android's) protection against untrusted device access isn't enough?
[+] [-] enguinq123|2 years ago|reply
[+] [-] _fat_santa|2 years ago|reply
1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power
2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.
3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.
It just seems like alot of work for something that in all likelyhood would not work.
[+] [-] marcosdumay|2 years ago|reply
I have never heard about a non-government sponsored attacker doing that kind of thing. If this is relevant or not to you, it's a matter of your threat model. If I were a journalist, I would be very weary. Personally, I don't plug my phone on random outlets and don't plug random devices on my computers, but it's clearly an overreaction.
[+] [-] l33t233372|2 years ago|reply
[+] [-] thrashh|2 years ago|reply
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
[+] [-] thinkmassive|2 years ago|reply
[+] [-] WakoMan12|2 years ago|reply
[deleted]
[+] [-] ajsnigrutin|2 years ago|reply
Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
[+] [-] retrocryptid|2 years ago|reply
It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."
I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
[+] [-] dataflow|2 years ago|reply
[+] [-] cookiengineer|2 years ago|reply
Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.
There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.
Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
[+] [-] kotaKat|2 years ago|reply
See also: the Bonobo JTAG/SWD debugging cable over Lightning. https://shop.lambdaconcept.com/home/37-bonobo-debug-cable.ht...
(While this 'technically' requires extra device flags, it's still the fact that Lightning has lots of hidden modes underneath its multiplexer.)
[+] [-] pid-1|2 years ago|reply
[+] [-] adastra22|2 years ago|reply
[+] [-] mancerayder|2 years ago|reply
[+] [-] brianwawok|2 years ago|reply
Back when I used android, it was much more common that runaway apps would drain my phone in 2 hours. But now? Doing a anker battery would be lugging around a bunch of dead weight.
[+] [-] stametseater|2 years ago|reply
[+] [-] kitsunesoba|2 years ago|reply
[+] [-] imdoor|2 years ago|reply
[+] [-] HeavyFeather|2 years ago|reply
If you want data safety, you must skip the data pins.
If you want current safety, you must skip public chargers.
[+] [-] rhplus|2 years ago|reply
[+] [-] shiftpgdn|2 years ago|reply
[+] [-] tzs|2 years ago|reply
MSB would define 2 connectors: a data connector and a power connector.
MSB would also specify that if you have both data and power connectors they should be physically laid out in data/power pairs and would define the spacing/positioning (e.g., the power connector should be parallel to the data connector 2 mm apart with the power connector above the data connector).
The idea behind the layout specification is that for applications that need both the power and data connectors you could make cables that include both, with the housing at the ends holding the two connectors fixed so they can treated as a unit when it comes to plugging into things.
The power port would include data line, but they are just used for power negotiation.
The data port would include power, but just a fixed voltage and max current, comparable to pre-high power USB, so for low power peripherals you would just need to use a data port. I.e., for low power peripherals it is pretty much just like USB.
[+] [-] tedunangst|2 years ago|reply
[+] [-] manishsharan|2 years ago|reply
I don't have those; I just charge my portable battery first and then charge my devices from the battery.
[+] [-] tristor|2 years ago|reply
[+] [-] diziet|2 years ago|reply
[+] [-] Tagbert|2 years ago|reply
[+] [-] kerkeslager|2 years ago|reply
https://www.zdnet.com/article/protect-your-data-with-a-usb-c...
[+] [-] hprotagonist|2 years ago|reply
i distinctly remember making usb condoms a long time ago, anyway, and have never trusted public usb slots anyway.
[+] [-] ineedtocall|2 years ago|reply
Another fun toy is the USB Gadget Kernel module. I've been running yolo + mouse/keyboard emulation on a raspberry pi to make horrible aim bots.
1. https://en.wikipedia.org/wiki/BadUSB
[+] [-] api|2 years ago|reply
[+] [-] mfer|2 years ago|reply
[+] [-] toxicpants|2 years ago|reply
[1] http://portablepowersupplies.co.uk/
[+] [-] slicktux|2 years ago|reply
[+] [-] stametseater|2 years ago|reply
[+] [-] jrochkind1|2 years ago|reply
We know (I think?) attackers can apparently easily introduce MitM skimmers to credit card swipers (I _think_ that's how my CC number keeps getting stolen?), possibly even without cooperation of the proprietor? Why not a little invisible injector on a charging port, that seems if anything easier.
Or is the skepticism around something else, I guess? Motivation? Lack of consistency over time of attack vectors around software injection via USB making it hard to commodify the attack? Like, there are only temporary zero days now and then which get patched, so this isn't a "cheap" thing to deploy on a wide scale?
[edit no idea why i'm getting downvoted on this, perhaps I didn't write it right but I'm legit just curious to hear people's takes on this, what reasons he might have been thinking of to not worry about this...]
[+] [-] trinsic2|2 years ago|reply
https://www.amazon.com/Databloc-Charge-Only-Adapter-syncing-...