WingNews logo WingNews
top | item 35539877

(no title)

HeavyFeather | 2 years ago

If you can connect your turned off phone to your computer and start a reset, then that’s never going to be enough.

If you want data safety, you must skip the data pins.

If you want current safety, you must skip public chargers.

discuss

order

tshaddox|2 years ago

If it’s “just a reset” I still wouldn’t be too worried plugging into an otherwise normally placed public charger. It would obviously suck to have my device reset, especially when traveling, but of course a port could also just fry your device anyway.

yencabulator|2 years ago

If it's just a USB-initiated factory reset, that's much less worrying, just DoS not infiltration. Exploiting that at a busy airport would be a huge nuisance, but not a huge security risk. Just like wiring 110VAC into the USB wires would be a DoS...

paulsutter|2 years ago

I would still prefer a “never trust” mode, even if it meant I had to go to an Apple store to do a reset (something I have never needed to do)

epups|2 years ago

I don't get it, even after I reset my phone it's still locked, and by default not sharing data via USB. What am I missing?

retrac|2 years ago

> not sharing data via USB

USB is a very intelligent protocol, with a microcontrollor on both ends. The controller has access to at least the driver's state, which is usually in the kernel and potentially has access to system memory.

How does your Android phone even know that data is an option to switch into when you plug it into a USB port? It has already negotiated itself to be a device on the USB bus. Your phone will probably show up in lsusb on Linux even in charging mode. (Mine does.) When you switch the phone to data mode, it changes its USB device profile, and becomes a more sophisticated attached device, from the host's perspective.

Many (most?) phones made in recent years can be USB hosts, too. This lets you connect a USB mouse and keyboard to a tablet, for example. That would open you up to all kinds of pretty simple but often quite effective attacks, like simulating a virtual keyboard and mouse and just manipulating the UI that way.

I don't know if any of these particular attacks are possible with Android right now, but many variations on these themes have been shown over the years on many platforms. USB wasn't really designed with adversarial peripherals in mind.

kccqzy|2 years ago

If the USB connection truly doesn't get data, your charging experience is unsatisfactory: there's no way for the phone to negotiate higher wattage.

Not "sharing data" doesn't really mean not sharing data.