HackerTrans
TopNewTrendsCommentsPastAskShowJobs

FBI is warning people against using public phone-charging stations(schneier.com)

257 points·by mikece·3 anni fa·320 comments
schneier.com
FBI is warning people against using public phone-charging stations

https://www.schneier.com/blog/archives/2023/04/fbi-advising-people-to-avoid-public-charging-stations.html

327 comments

mtillman·3 anni fa
It really surprised me when this article blew up on Twitter as I thought it was common knowledge to never use public chargers and avoid untrusted usb anything after “bad usb”. It showed me how I live in a tech security bubble-a good reminder.
ghaff·3 anni fa
Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.

(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
wongarsu·3 anni fa
I've had booths on cyber security trade fairs hand out USB flash drives as prizes for spinning a wheel, with no awareness how that might seem odd. I guess people would be reluctant to accept them at BlackHat, but everywhere else people are very trusting towards USB stuff.
vGPU·3 anni fa
I take free USB drives any day. I always test them on the pc that belongs to the coworker that nobody likes first though ;)

In all seriousness though - 128gb usb 3.0 drives can be picked up for $10 on sale all day long. Absolutely no reason to trust some $0.25 random 4gb that a stranger gave you aside from running R-studio on it for fun or something.
lanstin·3 anni fa
I once worked at a place where the security team had a USB stick delivered to all the desktops with some digital brochure about not trusting strangers or some such. Not the cyber security team, but still.
jstarfish·3 anni fa
We send staged phishing emails internally to see who takes the bait.

Leaving USB sticks lying around with some sort of callback to see who plugs them in is a really clever idea. We could probably catch the serial number range in Defender ATP.
justsomehnguy·3 anni fa


  [autorun]
  
  open=you_didnt_read_the_brochure_right.exe
  icon=setup.exe,0
  label=My install CD
tablespoon·3 anni fa
> Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.

This is the solution to that problem:

https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00...

https://www.amazon.com/PortaPow-NA-USB-C-Data-Blocker/dp/B08...

https://www.amazon.com/PortaPow-Data-Blocker-USB-C-Converter...
dotancohen·3 anni fa
If you're already committed to carrying Yet Another Accessory, then why not just carry a small portable charging battery. Some models are not much larger than that USB connector, and could charge the phone more than sitting babysitting a charging phone for an hour.
ghaff·3 anni fa
Yeah, I normally carry bigger portable batteries but I've got a bunch of small ones that I've typically been given by vendors which are probably good for at least getting a phone off life support.
EMM_386·3 anni fa
Yes, I was in the hospital waiting room recently and they had a charging station with each type of available cable.

I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".

The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.
codethief·3 anni fa
> but what can you really do?

Get a USB condom, for instance, practice safer charging. :)
worthless-trash·3 anni fa
Android asks me if I want to have a device to allow access, This probably prevents attacks against the upper layer protocols. Is the risk vector here the USB stack itself?

I think its possible to disable the USB 'protocol' in Linux, but it would require advanced permissions on android, which probably doesn't work out of the box, with IOS who knows or cares.
codethief·3 anni fa
> Is the risk vector here the USB stack itself?

Yes, exactly. There are some comments here in the thread that discuss this in detail.
neodypsis·3 anni fa
This is a joke, but it could actually be a thing. An isolator that you can use to protect your device while using those unknown ports. I would call it an isolator though, or firewall, not what you called it.
smnrchrds·3 anni fa
It's not a joke, it's the (informal) industry term. See this for example:

https://www.zdnet.com/article/protect-your-data-with-a-usb-c...

https://lifehacker.com/use-a-usb-condom-to-protect-your-devi...
neodypsis·3 anni fa
Cool, didn't know they exist.
Abishek_Muthian·3 anni fa
Also now USB-C condom is also available, It was an issue since USB-C used data lines to negotiate voltage and I was tracking its need on my problem validation for a while now[1].

[1] https://needgap.com/problems/73-usb-type-c-condom-usb-cybers...
codethief·3 anni fa
> Also now USB-C condom is also available

Oh, I didn't know that! So what is the solution for USB-C? How do the new USB condoms work?
Abishek_Muthian·3 anni fa
I'm not completely sure, I read on reddit that USB-C condom has some form of proxy circuit to negotiate voltage; I hope someone with better knowledge in this can explain it better.
jrootabega·3 anni fa
You can even make a type of them yourself with rudimentary equipment, by cutting the data lines and connecting/not cutting the power lines. I believe you will lose the ability to negotiate faster charging, and I don't know if USB-C will work at all, but it still works otherwise.
Imogragi·3 anni fa
They make those. They are called data blocker cables and only have power pins, no data.
jstarfish·3 anni fa
...which are really annoying when you do need to transfer data to your phone, but all you have in your bag are data-blockers ;)
shallichange·3 anni fa
Not a joke. The thing exists
bsder·3 anni fa
Get a tiny GaN USB-C charger, throw it in your bag, and forget about the public "charging ports"?

I bought like 5 of these, threw them in my bags and luggage, and I don't worry about charging like ever. And my devices charge fast.

If I'm doing long flights, I generally bring a single power brick.
permo-w·3 anni fa
>(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)

I wonder whether you‘d take similar precautions on a site named Hacker News
Nevermark·3 anni fa
So far, web standards don’t support online supply of direct (constant) current, alternating (sine wave) current, they can only provide imaginary (square root of stealing your) current.

So you can’t trust any site for power.

—-

Although teleporting power Via quantum entanglement has been demonstrated as possible given a line of communication.

So crazily, “power over data” may happen one day.

Perhaps, we can all look forward to hackers draining our last 1% of battery power as a reward for not using end-to-end power encryption.
permo-w·3 anni fa
then you won’t mind if I mine some crypto on your machine?
stametseater·3 anni fa
A website would be hard pressed to emulate a keyboard plugged into my computer.
worthless-trash·3 anni fa
You say that now.

Wait till someone reprograms that arduino plugged into your USB via webUSB to be a HID device to do their bidding !
permo-w·3 anni fa
very true. nevertheless, I’m curious if you implicitly trust the security of links on HN?

I know I largely do, but perhaps that’s unwise, especially given the site’s stated target audience
TillE·3 anni fa
Serious browser exploits are extremely rare these days. Like, the worst you get is cryptocurrency mining while you're on the page.
vGPU·3 anni fa
I still get the occasional popup that gets past AdGuard on my phone and tries to add spam to my calendar on my iPhone but it’s definitely a lot better than it used to be. I got one a few months ago that had instructions on installing a custom management profile, now that cracked me up.
ghaff·3 anni fa
Accessing a known non-sketchy website? No.
permo-w·3 anni fa
hacker news is a link aggregator
brewdad·3 anni fa
If you've spent any time on here you know that no one actually clicks the links to read the article. Users need only trust the pages with an orange header.
permo-w·3 anni fa
I know I don’t but surely some people do

perhaps hacker news is merely a conversation prompt aggregator
ghaff·3 anni fa
I mean the upstream comment is basically saying don't trust clicking any links on the Internet--even on a site that presumably weeds out really dodgy stuff quickly. Indeed, not using the Internet is a solid, if rather extreme, security process to follow.
permo-w·3 anni fa
I wrote it, and that’s not what it’s saying
rvnx·3 anni fa
HN as a separate entity has practically no value, it could just be reddit.com/r/hackernews and it'd be practically the same.
permo-w·3 anni fa
reddit doesn’t have dang
hammyhavoc·3 anni fa
The thing about Reddit is that it has greater "discoverability" through search, profiles and algorithmic "hot" pages, so communities like that inevitably become swamped with low quality posts. There's a few niche subs that just degenerated into posting photos of purchases that arrived in the mail today instead of actually discussing the use of the tools.
chupasaurus·3 anni fa
I don't trust orange headers, only blue ones.
Xorakios·3 anni fa
grin
vGPU·3 anni fa
Which is exactly why they’re a great target. High traffic, good odds someone plugs the phone in and unlocks it while plugged in, etc.
alpaca128·3 anni fa
To be fair I also didn't know for a long time that HDMI is not a trustworthy port and can be used to spread malware [0]. And I'm usually not thinking about that when plugging my laptop to a projector.

Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.

[0] https://news.ycombinator.com/item?id=31828193
kube-system·3 anni fa
USB defaults to 5v if there is no negotiation, and it is said that many devices will draw 1a under these circumstances (even though technically the spec says they should expect less) -- it's the standard low speed charging that you'd get plugging your device into a dollar store charger.
cuttysnark·3 anni fa
> common knowledge to never use public chargers

Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.

I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.
TheNewsIsHere·3 anni fa
I try to always travel with a “USB data condom”. The one I have is called a “PortaPow”, and it’s red. It was about $10 on Amazon and it’s a great investment for scenarios where I _reasonably_ trust a power-only USB port not to have been tampered with, like the built in ports on aircraft.
rsync·3 anni fa
I have long used usb condoms - even on my own, trusted ports.

Sometimes I just want to charge my phone from my laptop without triggering all kinds of finder and iTunes and photos interactions.

Same with a car - just power, please.
detrites·3 anni fa
Build condoms into the devices themselves via a next USB spec requiring a hardware switch to choose power-only / power+data and these kind of issues could disappear. Apple might hate it though. Then again, capacitive hardware switches could be ok.
cuttysnark·3 anni fa
> _reasonably_ trust a power-only USB ... like the built in ports on aircraft.

I'm with you, this might fall under "safe". Then again, from threads posted here and elsewhere, and through personal investigation...the infotainment systems on airplanes are an absolute disaster with regards to security and software design. They're often part of the same system as the provided USB ports. While the risk is small, there's nothing stopping 1 person from running a script that exploits some flaw in the outdated Linux distro the airline is using to manage their in-flight entertainment.

There's also a chance I'm paranoid and spend too much time here, but I'm gonna stick with my Altoids.
beefield·3 anni fa
I have thought a power bank would be a good enough condom - for my threat vectors, that is.
fortuna86·3 anni fa
Can you be reasonably certain they work?
TheNewsIsHere·3 anni fa
The one I have is designed to allow you to visually inspect the connector terminals. So at least regarding my (USB-A) ones, I can confirm only the power lanes exist.
tshaddox·3 anni fa
I probably would have guessed that software vulnerabilities were rare for just plugging your smartphone into a USB port (without some additional user approval on the device). Obviously a port could probably be easily configured to just fry your jack/device but that’s not a big part of my threat model anyway.
adastra22·3 anni fa
You would have guessed wrong. Most devices, especially multi-vendor android devices, have exploitable subsystems which never touch the UI visible OS layer.
Waterluvian·3 anni fa
Everyone wants everyone to be more informed about their subject matter area, but there just isn’t enough cognitive load for it all.

I’d like to just rely on my device to protect me by asking if I want to trust the device.
pl90087·3 anni fa
I lately had trouble convincing some non-tech acquaintances that IoT "cloud-enabled" cameras all over their house (including bedroom) as anti-break-in measure are a bad idea as those devices or the storage in some chinese cloud could be hacked. They ridiculed this as "far fetched".

I'll never be able to bring up this risk with USB to those guys.

Edit: IoC typo -> IoT
IggleSniggle·3 anni fa
I know IoC as “Indicators of Compromise.” While that’s kinda true here, that’s not how you used it. What is IoC short for in your parlance?
genezeta·3 anni fa
Probably meant "IoT cameras".

Though apparently the "Internet of Cows" is something.
pl90087·3 anni fa
IoT. Sorry.
Accacin·3 anni fa
Why do you feel the need to mention "chinese"? Any cloud storage is liable to be hacked.
mikrotikker·3 anni fa
Because they're the dodgiest, lowest cost, cheapest option. And they like to spy/ddos.
ok123456·3 anni fa
Getting a phone with a large enough battery (>5000mAh) is good opsec. I have a 10000 mAh battery in my phone, and I only need to charge about twice a week.
computerfriend·3 anni fa
What kind of phone do you have?
CharlesW·3 anni fa
I'm seeing a lot of hysteria in response to this random tweet by the Denver FBI's social media person.

Do we know of a single real-world use of this hypothetical exploit? Do we know that iOS's (and presumably Android's) protection against untrusted device access isn't enough?
enguinq123·3 anni fa
Anecdotally, I have had a previous iphone infected by using a public charging station at SFO a few years ago.
ghostpepper·3 anni fa
Can you elaborate on this? What kind of phone? Android or iOS? Fully patched? What kind of infection? How did you discover it? How did you get rid of it?
kevviiinn·3 anni fa
I bet their iphone was running android
Alupis·3 anni fa
There have been many jailbreaks available that only required plugging the phone in and running some program on the other end of the cable. There's been jailbreaks where all you needed to do was visit a website... Apple's security isn't as bullet-proof as some make it out to be.

So, is it plausible a malicious charging station could gain root and sideload something nefarious on an iPhone? Absolutely. Particularly for non-tech-savvy folks desperate to get a charge before their connecting flight...

Has it happened? ...No idea. I guess that's where the anecdotes come in...
kevviiinn·3 anni fa
My point was that the person who made the comment stating that they had an iPhone, the person I'm replying to went on to ask them if they had iOS or android
Alupis·3 anni fa
Good point, I missed that bit upstream.

My general point about how easy it can be to maliciously root someone's device stands, so I will leave my comment as-is.

Folks - don't plug your devices into untrusted USB ports...
ghostpepper·3 anni fa
It’s been many years since I rooted (or even owned) an android phone but is there really no interaction from the user required beyond plugging it in? On iOS there’s a pop up asking if you want to trust the computer, and that’s after you’ve unlocked the screen
Alupis·3 anni fa
For a non-techy, the hurdles you just described are an annoyance in the way of getting a quick charge - not obvious security issues. After all, this charging station is operated by the amusement park/airport/conference/whatever... if it asks you to approve it why not?

And yes, in the past many iOS jailbreaks were shockingly simple. The website one in particular - you went to a URL and clicked a button... your phone rebooted and was jailbroken.
kevviiinn·3 anni fa
Usually it requires enabling developer mode and enabling USB adb
Tagbert·3 anni fa
did you have to say yes to the “trust this computer” question to enable data exchange?
Alupis·3 anni fa
Your non-tech-savvy folks will pound through nearly any popup if they are desperate to get a charge before their connecting flight, for instance.

The popup really should be a toggle somewhere in the settings that forces a user to explicitly enable data - not a popup users are mostly self-trained into ignoring.

Additionally, real charging stations should not offer cables with data lines at all.
rsync·3 anni fa
You’re going to need to elaborate here … that’s genuinely interesting if true …

More details?
_fat_santa·3 anni fa
It just doesn't seem like a plausible hack when you take in all the circumstances that have to line up correctly:

1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power

2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.

3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.

It just seems like alot of work for something that in all likelyhood would not work.
feoren·3 anni fa
None of these are necessary, except half of #2. All you'd need is a "middleman" device that is subtle enough to avoid notice by the person plugging in, just like how credit card skimmers work.

> 1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power

Doesn't matter, because you're (unwittingly) plugging into the attacker's device, not the station's.

> 2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.

You don't need to "inject" anything; you just need to physically place it between the user and the actual port and disguise it enough that people not paying attention won't notice. Or even just put a fake "charging station" in a place that the station didn't have one.

> 3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.

People are plugging in their phone so they can use it. They'll plug in the phone, unlock it, and browse the internet. What can't you do in that situation?
marcellus23·3 anni fa
> They'll plug in the phone, unlock it, and browse the internet.

iOS devices (maybe Android too, idk) ask you if you want to allow new accessories to access your device. That's why they said you need an exploit.
gregmac·3 anni fa
I don't have an iOS device to test, but just found a video [1] showing someone connecting a USB keyboard and immediately using it with no prompts. Same on Android.

Even better, here's [2] a direct example of this attack using an O.MG cable [3].

[1] https://youtu.be/COndab_rQkE?t=76

[2] https://www.youtube.com/watch?v=7YpJQT55_Y8

[3] https://shop.hak5.org/products/omg-cable
OJFord·3 anni fa
Android allows you to select the 'USB mode' between charging, MTP/PTP media transfer, debugging (if enabled), and filesystem.

If not an exploit, you need the victim to do something a lot more obviously (though the absolute obviousness of course remains debatable) dumb/risky than merely plug in.
yardstick·3 anni fa
“This fast charge station requires accessories access to your device for high speed charging”

Anyone who would believe a notice like that (or would click trust without thinking) is a prime target.

It’s like many scam/spam emails- they often intentionally look a bit dubious, poor grammar, typos etc as the attacker just wants to deal with low hanging fruit, not someone who may wise up quickly that something isn’t right.
mulmen·3 anni fa
Given what I know of battery technology that seems like a plausible requirement. Why wouldn’t the phone and charger communicate?
worthless-trash·3 anni fa
If you attack the right part of the USB stack, the prompt and its answer dont matter.
erik_seaberg·3 anni fa
If a malformed packet can trigger RCE in the USB stack, there wouldn’t be a prompt, right?
worthless-trash·3 anni fa
Thats how i'm seeing it.
standardUser·3 anni fa
I'm confused about #1. If I have a power adapted plugged into the wall, and a USB cable from that power adapted to my phone, how exactly could my phone be compromised?
yardstick·3 anni fa
The scenario was talking about a power bank where you plug a USB cable into, not where you plug your own power adapter into. Lots of people, myself included, don’t carry power adapters or even charging cables on them on a day-to-day basis.

Using your own power adapter and own power cable you will be fine.

Unless someone has tampered with either of them while you were distracted momentarily but that’s too high risk/inconvenient for an attacker for you to worry about.
l33t233372·3 anni fa
The attack involves placing a device between the cord and the wall.
pphysch·3 anni fa
More practically, you visit a place that has public chargers, you study them and create a compromised clone, and then you swap out the real one. Like card skimmers.
meling·3 anni fa
Maybe a better attack would be to create and sell a usb condom with malware built in.
marcosdumay·3 anni fa
We do know of shady companies that sell "own this phone" USB devices to governments, but AFAIK they only sell to governments and the details aren't available to the public.

I have never heard about a non-government sponsored attacker doing that kind of thing. If this is relevant or not to you, it's a matter of your threat model. If I were a journalist, I would be very weary. Personally, I don't plug my phone on random outlets and don't plug random devices on my computers, but it's clearly an overreaction.
tonyarkles·3 anni fa
Heh, if I'm remembering right, a couple of years ago there was a public charging station at DEFCON that was sponsored by the NSA. I did not plug my phone into it :D
marcosdumay·3 anni fa
That one became famous. It said something like "Powered by the NSA. You know you want to do it."

(And no, I've never been to DEFCON. It really became famous.)
l33t233372·3 anni fa
I think I recall such a thing happening at DEFCON. It was either that or USB sticks being handed out.
thrashh·3 anni fa
Usually the risk for something like is that if there's some unexploited bug in the USB stack or the OS. Which, from what I know from writing software, I don't trust shit.

I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.

But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
thinkmassive·3 anni fa
Thousands of O.MG cables are out in the wild… https://shop.hak5.org/products/omg-cable
CharlesW·3 anni fa
Wouldn't this be considered the same attack? Users would connect the cable, unlock their phone, and then would need to explicitly "Trust" the external device attempting to connect to their phone via USB.

I suppose the difference is that people may be using the cable to connect to a device where that prompt is expected, in contrast to the "charging port in an airport" scenario where it would seem appropriately alarming.
thinkmassive·3 anni fa
If the phone is unlocked, a badUSB-type device can do anything a keyboard can do, so it’s far from completely harmless.
WakoMan12·3 anni fa
ajsnigrutin·3 anni fa
But how?

Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
retrocryptid·3 anni fa
I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."

It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."

I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
tshaddox·3 anni fa
> I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."

Okay, but tell me how it can be done if you want me to take the threat seriously. You could also say “always store your phone in a sound-isolating container because attackers can hack your phone with ultrasonics.”
stametseater·3 anni fa
> Okay, but tell me how it can be done if you want me to take the threat seriously.

That is not a precautionary attitude. I don't know how a candle left unattended in the middle of my granite counter island could light anything on fire, there aren't any drapes near it, but I'm not going to leave it unattended so I can find out.
tshaddox·3 anni fa
Indeed, I’m explicitly rejecting the precautionary principle.
retrocryptid·3 anni fa
Oh. So you're a bitcoin exchange CEO?
dataflow·3 anni fa
I don't know how this is done, but not everything USB connected is assumed to be a charger. For example the 2FA hardware tokens aren't assumed to be chargers by default. So I imagine this might be done by faking a different device.
wongarsu·3 anni fa
The malicious charger can pretend to be keyboard, mouse and screen, and just remote control the phone. Or just a keyboard, if you want to an easier implementation. At least Android phones are completely usable this way, with universal keyboard/mouse support and widespread USB-C display support. Without any confirmation steps.
dataflow·3 anni fa
If a keyboard is the attack vector, what I don't get is: why not suggest people lock their phones and charge them when they're locked? Or maybe even shut them down and charge them before booting. Is there any reason not to suggest those? It certainly seems more practical than telling people they're out of luck, unless there are other attack vectors - in which case, what are they?
jerlam·3 anni fa
Most people use public charging ports are the same ones who want to use their phone while charging.

Physical security is also a consideration, I wouldn't really suggest that people leave their phones plugged into the wall in a public or semi-public place.
amelius·3 anni fa
If this is true, then just use a charging cable with only the two power wires in it.
pastage·3 anni fa
What is in the connector? While the only evil usb connectors I have seen are the big ones. Putting evil in and lighting or usb-c should be more than possible.
cookiengineer·3 anni fa
> But how?

Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.

There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.

Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
blacksmith_tb·3 anni fa
Hmm, if someone is using a phone from a decade ago, they will certainly be vulnerable to evil charging stations, as their battery will almost certainly be extremely tired (then again, phones that old were a lot easier to replace batteries in, so maybe there's some hope).
kotaKat·3 anni fa
Lightning does more than just USB depending on how you signal the pins, including factory debug and diagnostics connections.

See also: the Bonobo JTAG/SWD debugging cable over Lightning. https://shop.lambdaconcept.com/home/37-bonobo-debug-cable.ht...

(While this 'technically' requires extra device flags, it's still the fact that Lightning has lots of hidden modes underneath its multiplexer.)
pid-1·3 anni fa
I can picture a malicious actor convincing less tech savvy folks into enabling USB debugging to "unlock wifi speed" or some similar BS.
jstarfish·3 anni fa
Heh. Reminds me of the warez days.

"Can't install this shady pirated software you got from a malware-adjacent site? Try disabling your antivirus!"
adastra22·3 anni fa
Baseband exploits.
mancerayder·3 anni fa
Anker batteries come in a zillion sizes, are cheap and are safe to plug into public chargers. With how hungry phones are these days, I don't know how people live without portable batteries.
brianwawok·3 anni fa
It is almost impossible to drain my iPhone to 0 unless I am doing something really unhealthy, like staring at it for 10 hours. I take a charger with me on trips so I can charge over night, but otherwise.. it's literally not possible in my reasonable life to run my phone out of juice.

Back when I used android, it was much more common that runaway apps would drain my phone in 2 hours. But now? Doing a anker battery would be lugging around a bunch of dead weight.
iLoveOncall·3 anni fa
Just go on a trip where you use your GPS a lot and take pictures with your phone and it will last half a day at best.
ghaff·3 anni fa
Especially if your phone isn't new and doesn't hold quite as much charge any longer. I've definitely ended up plugging my phone into a portable battery when traveling. But usually if I'm out and about and using GPS and camera a lot, I'll have some sort of small bag with me for water, snack, additional clothing, etc. anyway so easy to throw a battery and cable in.
jstarfish·3 anni fa
Some of them are solar-equipped or have hand-cranks for emergency charging. Usually a built-in flashlight too.
Accacin·3 anni fa
If my phone is at risk of running out, I just take my wall charger, find a nice cafe to sit down in and plug in my charger whilst having some lunch. I've never had anyone complain at me about it, although I'm normally buying food and drinks so I'm not just leaching electricity.
jahewson·3 anni fa
Why would GPS use more power? It’s only receiving.
pja·3 anni fa
There’s a fair amount of signal processing going on inside a GPS device.

Modern GPS chips only need around 25mW apparently - older chips can pull 100mW though. Scanning needs a bit more power than tracking.
pastage·3 anni fa
Is it the same on sport watches? They seem to easily do 24h when doing GPS tracking. That is the popular models there are watches that can track more than 100h (but they always have bigger batteries). This is impressive for me since I remember doing tracking back in 2005 and that meant using lots of batteries.

On phones I think the problem mainly is that the GPS needs to wake up an app that need to handle the GPS data and then do some calculations. You can easily get data ten times a second that is alot of wake up from sleep, and probably draws lots of CPU.
pja·3 anni fa
Yes. same chips. I suspect you’re right - it’s not the GPS itself that’s the problem but waking up the main CPU to run whichever App has requested location data.
1123581321·3 anni fa
The phone’s not always using true GPS (reading satellites.) When it does, it uses more energy. In a difficult environment it scans for more satellites than usual, which uses even more energy.

Basically, the phone’s battery life depends on disabling hardware components, or running them in a low power mode, as much as possible.
joncrocks·3 anni fa
When people are using their phone's GPS they typically have the screen on (using maps/navigating etc.) more than usual.

I think most of the drain comes from that rather than the GPS unit itself. But people might say "using my phone's GPS uses a lot of battery."
brianwawok·3 anni fa
My iPhone has not had this problem in years.
have_faith·3 anni fa
Ditto. I haven't took a spare charger with me on my last few (city) trips. I just charge in the hotel and it lasts all day.
stametseater·3 anni fa
I usually go a week between charging. But then again I use my phone for checking and sending messages, not for gaming or browsing the net or anything like that.
kitsunesoba·3 anni fa
For my own needs, carrying a compact foldable GaN power brick like the Anker 511 (or 747, if carrying my laptop) has been sufficient. Sleeping MacBooks also work as extremely fancy extremely high capacity power banks if the need arises, which in the past has covered the odd case where I'm not near an AC outlet.
TheNewsIsHere·3 anni fa
I also travel with a compact Anker GaN charger and I _love_ that thing.
imdoor·3 anni fa
I'm curious, shouldn't the "charge only" mode, that's the default, when connecting usb stuff to Android phones, be enough to protect users? Is it really that difficult to implement a "don't read data pins, only charge" mode on a phone and not have vulnerabilities in it?
HeavyFeather·3 anni fa
If you can connect your turned off phone to your computer and start a reset, then that’s never going to be enough.

If you want data safety, you must skip the data pins.

If you want current safety, you must skip public chargers.
tshaddox·3 anni fa
If it’s “just a reset” I still wouldn’t be too worried plugging into an otherwise normally placed public charger. It would obviously suck to have my device reset, especially when traveling, but of course a port could also just fry your device anyway.
yencabulator·3 anni fa
If it's just a USB-initiated factory reset, that's much less worrying, just DoS not infiltration. Exploiting that at a busy airport would be a huge nuisance, but not a huge security risk. Just like wiring 110VAC into the USB wires would be a DoS...
paulsutter·3 anni fa
I would still prefer a “never trust” mode, even if it meant I had to go to an Apple store to do a reset (something I have never needed to do)
epups·3 anni fa
I don't get it, even after I reset my phone it's still locked, and by default not sharing data via USB. What am I missing?
retrac·3 anni fa
> not sharing data via USB

USB is a very intelligent protocol, with a microcontrollor on both ends. The controller has access to at least the driver's state, which is usually in the kernel and potentially has access to system memory.

How does your Android phone even know that data is an option to switch into when you plug it into a USB port? It has already negotiated itself to be a device on the USB bus. Your phone will probably show up in lsusb on Linux even in charging mode. (Mine does.) When you switch the phone to data mode, it changes its USB device profile, and becomes a more sophisticated attached device, from the host's perspective.

Many (most?) phones made in recent years can be USB hosts, too. This lets you connect a USB mouse and keyboard to a tablet, for example. That would open you up to all kinds of pretty simple but often quite effective attacks, like simulating a virtual keyboard and mouse and just manipulating the UI that way.

I don't know if any of these particular attacks are possible with Android right now, but many variations on these themes have been shown over the years on many platforms. USB wasn't really designed with adversarial peripherals in mind.
epups·3 anni fa
Maybe I'm stupid but what I gather from this is simply that this is a potential vector, not that it is currently an actual possibility. It's akin to saying using Bluetooth is dangerous because theoretically any data on my phone can be extracted through it, while neglecting the fact that the people building a phone OS are clearly aware of that and have built-in countermeasures.
kccqzy·3 anni fa
If the USB connection truly doesn't get data, your charging experience is unsatisfactory: there's no way for the phone to negotiate higher wattage.

Not "sharing data" doesn't really mean not sharing data.
[deleted]·3 anni fa
StrangeATractor·3 anni fa
https://en.wikipedia.org/wiki/BadUSB
upofadown·3 anni fa
BadUSB emulates a keyboard. So one would want to make sure that the phone was locked before hooking it up to a random charging port. Android exploit demo here:

* https://github.com/caioau/badUSB-Targeting-Android
rhplus·3 anni fa
You phone can only figure out if it’s connected to a known device (your car, your speaker, etc) by asking the data pins. A charge-only mode would “break” usability of the USB port for most users.
was8309·3 anni fa
android 11 asks me if i want to charge only or also allow data transfer. Is it that we can't trust android to be not be hacked just by checking if data pins exist?
ensignavenger·3 anni fa
My phone asks me if I am connected to a trusted device and want to share data, asking me rather than asking the device if it is trusted seems to be an effective model.
shiftpgdn·3 anni fa
If you have a zero day takeover via usb/lightning why would you waste it on public charging infrastructure? That seems ridiculous.
xeromal·3 anni fa
It's not really. Supposed a nefarious group wants to get ahold of an executives phone who always flies out of LAX or goes to a certain mall and uses a public charger. It would be smart to zero day one of those and if a few extra people are exploited, maybe some bonus bank info.
bbarn·3 anni fa
This is typical hacker movie nonsense. In real life, if they want something from said executive they just kidnap him, threaten violence, and he gives them what they want instantly. Or just knock him out cold from behind, take his shit, and crack into it themselves.
comte7092·3 anni fa
There is way more risk involved in kidnapping someone, not to mention the fact that you’ve just given away the fact that you’re surveilling them.
johncessna·3 anni fa
I think it depends on what your goals are. If you want something that executive has and want to deal with the messiness of multiple other crimes, then sure, that'll work.

If you're just passively collecting data and hoping to land 'a' executive or someone else in business with access to power and/or money, or can be used to pivot to someone else, I think it'd be an effective tool.
slig·3 anni fa
After Stuxnet, I wouldn't discard that possibility.
xeromal·3 anni fa
Exactly what I was thinking of when I wrote this. They left USBs on the ground hoping the right person would pick it up.
yencabulator·3 anni fa
It's worth noting that Stuxnet was very careful not to even reveal its capabilities if it happened to infect a non-target host. It was still a very targeted attack, and not "everyone had their bank accounts hacked" risk.

(It still infected untargeted PCs, and might have caused them to misbehave, but not intentionally. Stuxnet was designed for stealth, not for mass exploitation. You the average PC owner has very little to fear from such targeted attacks, you're not worth the 0days.)
computerfriend·3 anni fa
There are pros and cons to both approaches.
TedDoesntTalk·3 anni fa
What other attack vector would you choose?
londons_explore·3 anni fa
You could ship the victim malicious USB cables in the mail with amazon branding on the box.

Many people would use them, assuming they were just mis-shipped or ordered by their spouse.
opwieurposiu·3 anni fa
This would totally work on me. My wife is always buying USB cables from amazon, IDK what we do with them all.
lfowles·3 anni fa
Or is she....
Xylakant·3 anni fa
Hard learned fact: USB cables are consumables, just like ink or toner for your printer. They need to be refilled every so often.
londons_explore·3 anni fa
It's a real shame that the USB standards creators didn't work harder on error-proofing and longevity.

If I were on the standards committee, I would have made every pin interchangeable - ie. any pin can be gnd, any pin can be Vbus, any pin for data, etc. When plugged in, the device on the end would test every pin, and then decide which to use for data and which to use for power.

That way, when a cable gets a bit old and 3 out of 30 pins are shorted or dirty or otherwise bad, the cable works but simply delivers 90% of the power it used to.

The absolute cheapest cables could have just 2 pins, and would be slow and low power, but still fully 'working'.

This wouldn't have added much cost to most devices either - most devices have a dedicated IC for USB functionality, and that IC can deal with muxing signals and power. On devices which only take power, a simple array of diodes can take power from any pin. Data signals could be capacitively coupled, meaning the muxing could be done on a single chip without needing special high voltage silicon processes (the cost of a chip goes up a lot as soon as you want it to deal with high voltages on any pin).
thomastjeffery·3 anni fa
...leaving a literal paper trail of package location tracking? Mail fraud is considered serious. Why commit an extra crime?
NoZebra120vClip·3 anni fa
Less serious than tampering with fixtures in a secure area at an American international airport?
thomastjeffery·3 anni fa
I would imagine that leaving a charger plugged in to a public outlet is not as interesting as you have presented it to be.

Sure, you would be leaving evidence, but if your plan works, that evidence won't be sought out anyway.

If you sent a mysterious package, it wouldn't be strange or out-of-character for someone to investigate that package intentionally: which presents a significant attack surface for the discovery of your ruse.
NoZebra120vClip·3 anni fa
Here's what you do without leaving obvious chargers dangling out of outlets. You don't need to even send a guy in a maintenance uniform out to the site, or tamper with installed equipment.

You're a decently high-capacity Chinese factory that makes custom USB outlets. You make a "special" line with a zero-day chip or firmware inline with a cable. The cable only needs to be a little fatter to accommodate some unobtrusive electronics. They are slid under the insulation and there is no dedicated PCB that may attract scrutiny.

You wait until the order comes in for the site(s) you wish to target, and you ship them off.

The countermove to this, of course, is that the installer does a fuzz test of the charging station with a few common devices, trying to tickle the bug, and also a protocol analyzer that will inspect the USB data stream for anything out of the ordinary.

My armchair quarterback mind says that the above security testing should be fairly effective if you are dealing with a low-level adversary. A state-sponsored one with sufficiently large enough state would not be hindered by puny countermeasures like that, and would be able to target more accurately.

Here's another countermeasure on the consumer level: optocoupling. This is good to mitigate voltage and amperage damage, even accidental or unintentional types. I suppose it would prevent charging too, but there's got to be something useful about it.
mywittyname·3 anni fa
Exactly, and you'll be on video.

You can buy stamps from a vending machine with cash.
pnpnp·3 anni fa
If, and that’s a big if, the victim was able to trace the infection back to a charging port, then have the time, resources, and capability to debug the chips.

That’s all assuming the bad port wouldn’t have been removed, and video might just show regular “maintenance.”

Yeah, it’s all above and beyond, but I think it’s in the realm of possibility for a high level target (see: stuxnet et al)
dpc050505·3 anni fa
It's extremely easy to use cash to pay for postage. Slap fake sender information on the package and you'll be very difficult to find.
kevin_thibedeau·3 anni fa
You can put a padded envelope into a public mailbox.
aaomidi·3 anni fa
You’d use it to attack the targets you care about rather than just the general public.
pc86·3 anni fa
The way you attack a specific target without alerting them (or at least making them suspicious) is to attack them indirectly.

The sibling comment above is an excellent example of why you might specifically target public infrastructure if you only really care about one person.
rch·3 anni fa
USB charging ports on aircraft.
bakugo·3 anni fa
I'm inclined to agree, an exploit this powerful would almost definitely be used for targeted attacks only.
ghostpepper·3 anni fa
This was the prevailing wisdom for many years but the recent watering-hole attack by China has made me reconsider this position.

https://www.eff.org/deeplinks/2019/09/watering-holes-and-mil...
aaron695·3 anni fa
tzs·3 anni fa
I've come to think that whatever eventually replaces USB should add some separation between power and data. Let's call it MSB (Multiversal Serial Bus). Maybe something like this.

MSB would define 2 connectors: a data connector and a power connector.

MSB would also specify that if you have both data and power connectors they should be physically laid out in data/power pairs and would define the spacing/positioning (e.g., the power connector should be parallel to the data connector 2 mm apart with the power connector above the data connector).

The idea behind the layout specification is that for applications that need both the power and data connectors you could make cables that include both, with the housing at the ends holding the two connectors fixed so they can treated as a unit when it comes to plugging into things.

The power port would include data line, but they are just used for power negotiation.

The data port would include power, but just a fixed voltage and max current, comparable to pre-high power USB, so for low power peripherals you would just need to use a data port. I.e., for low power peripherals it is pretty much just like USB.
[deleted]·3 anni fa
i_am_jl·3 anni fa
Why not offload this to the device?

Why doesn't my device today have an option that allows me to set the USB port to "power only"?
mr_mitm·3 anni fa
My Android does that. And at least with thunderbolt I can enable thunderbolt security on my laptop, which essentially does that.
Tommstein·3 anni fa
Because you don't have an Android? I don't remember the last one I had that didn't have that setting, if ever.
i_am_jl·3 anni fa
Try plugging a keyboard into your phone.

That setting does not work the way you think it does.
yencabulator·3 anni fa
(Apart from very low level USB firmware stack attacks:)

That's a purely software issue, though, and actually easier to solve on phones (with built-in display+input) than on PCs (how to trust a keyboard/mouse without having keyboard/mouse to input approval with?).

https://usbguard.github.io/
i_am_jl·3 anni fa
>That's a purely software issue, though,

I know, that's why I'm so annoyed! And Android is already half-way there; they've already acknowledged that I should be able to control how my phone interacts over USB with a PC, now all that's left is a proactive control that sets the mode for the USB port globally instead of asking my preference in reaction to a device being connected.

>and actually easier to solve on phones (with built-in display+input) than on PCs (how to trust a keyboard/mouse without having keyboard/mouse to input approval with?).

I feel like PCs are less of an issue; I'm not out with my PC at a coffee shop or bus station when suddenly I'm tempted to use the publicly available USB keyboard. At least to me phones and tablets seem like the problematic devices here since charging them (with a wire at least) necessitates connecting them via USB.
sacrosancty·3 anni fa
That's pretty much USB3-A isn't it? High speed data is separate from power and low speed data. You can have connectors with just one or the other.

Anyway, the world will be worse place with just incremental incompatible tweaks to the so-called "universal" connectors so that they're never universal because of churn. Hopefully USB-C is the end of the line forever, whatever its flaws might be.
tedunangst·3 anni fa
Also remember to check your Halloween candy for razor blades.
manishsharan·3 anni fa
There are USB "condom" cables available which do not have data wire. https://www.zdnet.com/article/protect-your-data-with-a-usb-c...

I don't have those; I just charge my portable battery first and then charge my devices from the battery.
SketchySeaBeast·3 anni fa
But then your phone will have been with every port your battery pack has been with!

An alternative is also a power only USB cable, just because I feel like I'm less likely to lose a whole cable than a "condom".
hibbelig·3 anni fa
> But then your phone will have been with every port your battery pack has been with!

It's unclear to me what this means. I thought it works like this:

- Connect battery pack to USB port - USB port tries to hack the battery pack, but it's too dumb, so the attempt goes nowhere. The charge flows nicely, though. - Disconnect battery pack from USB port - Connect device to battery pack
SketchySeaBeast·3 anni fa
Oh, it was strictly a joke that was stretching the condom/STI metaphor.
palata·3 anni fa
> USB port tries to hack the battery pack, but it's too dumb

Are you certain it is?
LegitShady·3 anni fa
I haven't seen many of those data blockers that support quick charge and thats pretty important when using some kind of public charging station.

I, like you, charge a portable battery that can refill my phone 2-3x without issue.
tristor·3 anni fa
I don't use public chargers, and I use USB condoms for charging my devices even with chargers I own, because basically all the charging devices are made in untrustable supply chains. I thought this was common knowledge, and basically what everyone is doing. Wireless charging helps a lot with this, and I now prefer wireless charging whenever possible. The only devices I connect my devices to using USB are computers I control, I don't cross-contaminate between computers (e.g. anything plugged into my work laptop will never be plugged into a personal system, and vice versa). This is just basic hardware op-sec with USB.
dehrmann·3 anni fa
> USB condoms

I have one of these. I like that I can look in it and see that it has no data pins

> Wireless

I know you meant charging, but for data, with some of the spy cables out there with embedded chips and wireless access, it's ironic that wireless is in some ways more secure.
marcosdumay·3 anni fa
The wireless charging port is an specialized one. That's why it's more secure. The wireless data transfer options vary from "it's broken, forget about it" to actually quite secure, but the charging isn't done through them.

When people decided to use USB for everything, well, they had to make USB support every use case.
meling·3 anni fa
Not all usb condoms show the connections. I got one from a well-known vendor at a conference. Seems like an easier attack vector to create and sell malware infested usb condoms…
MisterTea·3 anni fa
> I thought this was common knowledge, and basically what everyone is doing.

No. Not even close.
diziet·3 anni fa
I suggest to get data blockers like this: https://www.amazon.com/PortaPow-NA-USB-C-Data-Blocker/dp/B08...
Tagbert·3 anni fa
Yes, I use something similar. I keep one in my travel bag, just in case.
kerkeslager·3 anni fa
This is like abstinence-only education. Use a USB condom:

https://www.zdnet.com/article/protect-your-data-with-a-usb-c...
Kwpolska·3 anni fa
The use of public chargers is easy to avoid with some basic planning and awareness of your phone's battery habits.
kerkeslager·3 anni fa
So? You know what's easier than basic planning and awareness of my phone's battery habits? Not avoiding public chargers.
hprotagonist·3 anni fa
badUSB is what, nearly 20 years old now?

i distinctly remember making usb condoms a long time ago, anyway, and have never trusted public usb slots anyway.
ineedtocall·3 anni fa
I had to look that age up. You're right, ~19 years ago[1] badUSB made its debut.

Another fun toy is the USB Gadget Kernel module. I've been running yolo + mouse/keyboard emulation on a raspberry pi to make horrible aim bots.

1. https://en.wikipedia.org/wiki/BadUSB
api·3 anni fa
I've heard the somewhat-NSFW term "USB glory hole" for these.
mfer·3 anni fa
When I see this I wonder, is the FBI warning us about something the CIA or NSA are doing?
mywittyname·3 anni fa
The FBI investigates industrial cybercrime. They are more likely reporting on what they see in the wild. And it's probably coincidence if the other TLAs are using the techniques.
toxicpants·3 anni fa
PortaPow[1] makes a great adapter that will only connect the power pins in the USB connection.

[1] http://portablepowersupplies.co.uk/
slicktux·3 anni fa
I usually drill out the data pins on a USB I plan on using for public charging stations…
londons_explore·3 anni fa
Have fun with most devices only charging at 2.5 watts (ie. 6 hours for a full phone charge)...
Kirby64·3 anni fa
Some devices don't really operate this way; some of them just try to keep pulling current until they either see voltage start dropping significantly, or they meet the amount of current they need.

Also, you can just put the 'correct' data connections on the phone side (keeping data disconnected on the charger side) and pull up to 5V-3A, no problem assuming the charger can handle it.
maerF0x0·3 anni fa
plz explain. I have something similar to these https://www.amazon.com/OffGrid-Blocker-Unwanted-Transfer-Pro...

And it seems to charge quick enough (albeit never timed it)...
tzs·3 anni fa
The way USB high power charging works is that unless the charger and the device agree on high power the charger just charges at the older pre-high power USB rate. That's why you can plug ancient devices into a high power charger without worry that they will get fried.

The way the charger and the device agree on how much power the charger should supply involves the data lines.

Thus, if you simply drill out the data lines leaving just the power lines as the person a few comments up suggested a properly functioning high power charger will see your device as only supporting the original USB power spec.

I suspect that those things you linked to are active USB devices. The USB port on the charge side has the data lines connected and uses them to negotiate high power from the charger. The USB port on the device side similarly has the data lines connected and uses them to negotiate high power with the device.

It protects the device because the data lines on the charger side are not connected to the data lines on the device side.
erik_seaberg·3 anni fa
From what I’ve read, USB-A only had one pair of data pins and needed them to negotiate power delivery, but USB-C does not because it has a new configuration channel pin on each side (which is also used to negotiate modes for the many new data pairs, and detect being upside down).

A 24-pin “serial bus” might be getting a little crazy.
maerF0x0·3 anni fa
> It protects the device because the data lines on the charger side are not connected to the data lines on the device side.

or so we hope
yonaguska·3 anni fa
I just carry a portable battery when travelling. Seems like way less work with the added convenience of being able to charge on the move.
[deleted]·3 anni fa
onemoresoop·3 anni fa
And as a bonus you can charge the battery at a public station.
yencabulator·3 anni fa
For the true paranoids, your battery bank also runs firmware...

But realistically, a battery bank seems like an even better solution than a dedicated "USB condom"; it'll even protect you from "USB killer" attacks that inject high voltage to the ports, by frying just the power bank not the real device.

It's more bulky than just a dedicated cable, though.
bin_bash·3 anni fa
is this possible with type-c?
stametseater·3 anni fa
We badly need a DC electrical plug/jack standard that doesn't play double-duty as a data transmission standard. Innumerable small appliances and devices use DC power, solar panels make DC power, yet if you want to charge such devices you have to go through a DC->AC->DC conversion, or use USB which can evidently pwn your devices. What a sorry state of affairs.
jrochkind1·3 anni fa
I'm surprised Schneier says "I am unconvinced".

We know (I think?) attackers can apparently easily introduce MitM skimmers to credit card swipers (I _think_ that's how my CC number keeps getting stolen?), possibly even without cooperation of the proprietor? Why not a little invisible injector on a charging port, that seems if anything easier.

Or is the skepticism around something else, I guess? Motivation? Lack of consistency over time of attack vectors around software injection via USB making it hard to commodify the attack? Like, there are only temporary zero days now and then which get patched, so this isn't a "cheap" thing to deploy on a wide scale?

[edit no idea why i'm getting downvoted on this, perhaps I didn't write it right but I'm legit just curious to hear people's takes on this, what reasons he might have been thinking of to not worry about this...]
jjulius·3 anni fa
>I'm surprised Schneier says "I am unconvinced".

And immediately after he says he's unconvinced this is a concern, he states that he does, in fact, carry a tool with him that would protect him in these circumstances.
ghaff·3 anni fa
In general, you can be unconvinced that various things are actually a meaningful real-world danger, but you choose to mitigate against them anyway if you can do so easily.
yencabulator·3 anni fa
I think it's very unlikely my car will catch on fire, but I carry a fire extinguisher.
krisoft·3 anni fa
He also mentions that he only uses said tool with "charging stations I find suspicious". Which is very curious, because I would assume an attacker who is willing to risk burning such an attack would make sure their charging station is looking the least suspicious and most ordinary.

I'm not sure if "find suspicious" is a good heuristic here. Although of course we don't know what he bases his suspicion on.
trinsic2·3 anni fa
To block usb power connectors from owning your phone: Databloc USB Data Blocker Adapter

https://www.amazon.com/Databloc-Charge-Only-Adapter-syncing-...
Sander_Marechal·3 anni fa
Ah yes, we call this a USB condom
layer8·3 anni fa
Nice. Alas, that will probably also block fast charging on iPhone 15+: https://9to5mac.com/2023/03/20/usb-c-faster-charging-iphone-...
HeavyFeather·3 anni fa
Idea: use a power bank that allows in/out at the same time. It should charge both at high speed while also acting as a firewall.

This is also assuming that your powerbank can’t be hacked. In which case, god save us all.
rtkwe·3 anni fa
It does add a slight extra layer in that they have to both have a compromise for whatever chip is controlling your bank and a compromise for whatever phone is attached which is more difficult to pack into a small controller chip. Although I'm willing to be a lot of power bank controllers are similar across the market which narrows that difficulty.
seanmcdirmid·3 anni fa
If your power bank is qi (MagSafe) to your phone, it will probably be fine given the lack of a wired connection.
[deleted]·3 anni fa
jcl·3 anni fa
I suspect that someone using a public usb-a charging port isn’t expecting fast charging, but rather counting themselves lucky that it works at all.
jsheard·3 anni fa
Same with Android, the various fast charging protocols use the data pins to negotiate the voltage setting and how much current the phone is allowed to draw. I suppose in theory you could make an active dongle which MITMs the data pins and strips anything it doesn't recognise as a valid fast charging command, but I don't know if such a product exists.
tastyfreeze·3 anni fa
A USB cable without data lines works too.
yellow_postit·3 anni fa
Except you are stuck with slower charging speeds. Usually in the places you most want fast charging but have the least trust (random public charging spots)

Most users, most of the time, will trade speed for security.
djmips·3 anni fa
Do you trust that the one coming in the mail isn't going to hack your phone! haha.
shlant·3 anni fa
could you just tape over the middle 2 connectors on a regular USB connector?
Anechoic·3 anni fa
Presumably pair-locking still works to mitigate against evil chargers?

https://reincubate.com/support/how-to/pair-lock-supervise-ip...
jve·3 anni fa
I'v been wondering about the implications of free wifis within airports or such - how much that would be of a worry given you connect only to TLS secured services (and hopefully the phone does it too for every service it connects to in background)
croutonwagon·3 anni fa
Personally...I run a Linode VPN with openvpn on it listening on port 443.

Anytime I am on an public wifi or untrusted network (including the occaisonal time at my job with a personal device), i connect to that. Since its 443, its generally not blocked, even through the TLS connection is not "standard" because it uses a 2048 bit PSK to as a pre-cursor to start a connection, then a certificate based auth to establish the tunnel.

Its a full tunnel as well so all traffic runs through it. Google/Youtube will sometimes pitch fits and make me do captchas but otherwise its an easier way to shield from stuff like that.

All the wifi provider sees in that case is a single connection to my linode.

Admittedly this is a pretty technical solution though and requires some configuring. Mullvad would probably be an easier option with plenty of endpoints to jump through. Or you can run Tailscale and use SSH/socks proxies, though things like DNS leakage can still occur there.

I will use SSH tunnels and socks proxies for certain browsers that are configured to not store any data locally as well (ie: Firefox). I justify it easily in that I am constantly testing services and sometimes its best to rule out routing, BGP or other low level network issues and using ssh -D 12345 somethign@someplace allows me to do just that in isolated circumstances.
aaomidi·3 anni fa
OpenVPN is a noisy protocol. Every network operator knows you’re on a VPN.

Point is, port 443 isn’t really the best way if you dont want to be blocked.

You may want to consider stunnel if this ever becomes a problem for you.
croutonwagon·3 anni fa
The thing is though, im not trying to hide the fact I am on OpenVPN. Simple inspection of the handshake tells you EXACTLY what it is. But thats generally not the issue.

The issue is many will simply block UDP or the default port 1194 or basically anything other than a handful of outbound ports, of which 443 outbound is almost never actually blocked for obvious reasons. In fact I cant think of a single time I havent been able to use that VPN, even when my normal road-warrior profile to my house IS blocked.

Either way there are ways are ways to mask the fact that its clearly OpenVPN that if your issue is nation-states or things like the Great Firewall like Obfsproxy, but even then, something like Mullvad would be called for since you are likely going to need an array of endpoints.

Im just trying to ensure my traffic is running through a trusted source until the point that its supposed to him the open internet. Things like DNS filtering are getting more pervasive. For me that means I want to know the endpoint until I am ready for it to egress.

I have also had this setup for years at this point. Before tailscale or even hearing of things like mullvad. But I work in IT, so its one of those things that makes others that dont work in tech look at me funny if they see it.
hinata08·3 anni fa
in 2023 : none

sites are protected not only wity TLS but also HSTS and the list goes on.

Wi-Fi doesn't include sturdy security mecanisms anyway, so wifi is never safe.

Companies that are serious about network security are recommended to use a second factor, like a VPN, especially on their company network (because they always have ressources that lack protection)

For customers and individuals like us, sites are safe enough not to do that (unless you host your own services)

So the only thing PPL can do on public networks is maybe fingerprinting, and tracking the whereabouts of your devices accross the place (Especially in airports like Istanbul where you need to swipe your passport in a machine to get a wifi code)

But that doesn't prevent me from going to Discord and HN and do banking over public networks.
jve·3 anni fa
> sites are protected not only wity TLS but also HSTS and the list goes on.

HSTS is just what says for the browser not even try HTTP connection, but directly HTTPS.
maerF0x0·3 anni fa
and also to report an error if there's a redirect back to HTTP, right?

ie when a MITM is attempting to drop you back to insecure.
hinata08·3 anni fa
yes.

if HSTS is implemented properly, it won't just report an error, but it will also forbid any connection.

For example, on Firefox, you can't bypass an HSTS error. The browser won't let you add an exception to connect to the site. (you have to purge your data to connect again 'for the first time' on the site)
computerfriend·3 anni fa
The analogous attack would be, exploiting a bug in the network card or wpa_supplicant. The latter has happened in an airport before.
fouc·3 anni fa
I guess we should also avoid plugging our phone into the USB ports on airplane seats?
expertentipp·3 anni fa
The race of media, ad, and other companies for one's attention and data is brutal. Especially when one is stuck in a seat for hours and only has a back of another seat in front of their face.
maerF0x0·3 anni fa
I've often wondered about this. Is $AIRLINE selling the traffic data? I wonder how much $NSFW is being consumed on planes?
hprotagonist·3 anni fa
that should go without saying: yes, you should avoid doing that.
kfajdsl·3 anni fa
You can use a power only cable.
andrei_says_·3 anni fa
Where can I get one and how can I verify it is what it says?
marcosdumay·3 anni fa
> Where can I get one

Yeah, people usually have the opposite problem. You just search for power-only cable.

> how can I verify

Plug it into your phone and your computer. None should see the other, but the phone should charge.

And then tag it, because having all kinds of cables exactly alike is the worst decision the USB designers ever made.
computerfriend·3 anni fa
For USB-A, the pins are physically different.
ImPostingOnHN·3 anni fa
plug your own charger into the power outlet
qwertox·3 anni fa
There are small adapters which disconnect the data lines. I use one of those to connect my phone to my car so that it only charges but avoids my car to want to add it as an external storage for the entertainment system.
jameswryan·3 anni fa
That isn't sufficient to protect you on a charger you don't control: https://www.usenix.org/conference/usenixsecurity21/presentat...
paulryanrogers·3 anni fa
Or at least use a USB condom with voltage protection
maerF0x0·3 anni fa
I mean, if they fry the device I think that's going to both be an acceptable risk (annoying but not breached), and also likely to be detected rapidly -- "Shit my device is fucked, better tell airport staff"
michaelt·3 anni fa
> likely to be detected rapidly -- "Shit my device is fucked, better tell airport staff"

It's not charging - but maybe it was just a problem with that port on your laptop. Better try the charger in every one of your laptop's USB-C ports, just in case....
ta1243·3 anni fa
I stopped paying attention to FBI warnings when they spammed my legal dvds.

Meanwhile my downloads came with none of those warnings.
rtkwe·3 anni fa
Has there been any kind of attack actually detected that goes through this vector? This has been infosec lore for as long as USB charging and smart phones have been a thing but I've never really heard of it actually being used.
provenance·3 anni fa
There is indeed a cheap product that does exactly this: https://o.mg.lol/
rtkwe·3 anni fa
I mean as an actual attack not a product that could execute a similar attack. IE an instance where a public charger has been detected or caught attempting to infect phones.
rednerrus·3 anni fa
I carry a tiny USB battery that I can plug into these public phone charging stations.
stronglikedan·3 anni fa
Isn't that what those charge-only cables that don't do data are for?
rtkwe·3 anni fa
Most people don't have those because USB-C Power Delivery requires data pins to negotiate fast charging. I think it's required to get anything beyond the basic 5V .5A power out of a USB socket these days.
stronglikedan·3 anni fa
Ah, good to know. TIL, thanks! I'll be avoiding those as well then.
GartzenDeHaes·3 anni fa
Also, programmable USB HID devices https://shop.hak5.org/products/usb-rubber-ducky
dpratt·3 anni fa
“Dear citizens, please be wary of attacks on your devices designed to compromise your privacy and personal information. It would be unfortunate if we had competition in the game.”
rtkwe·3 anni fa
It's always been a competing priorities inside the government between groups improving security so that commerce and secrets stay secret and safe and other groups who's priorities are more generalized security that would love to snoop into everyone all the time.
bookofjoe·3 anni fa
https://news.ycombinator.com/item?id=35514479
naattee·3 anni fa
I was always suspect of those public charging things, especially the ones that you leave you phone unattended or "locked" in a box.
chiefalchemist·3 anni fa
Can't the OS have a setting for public charging such that the software can prevent any hardware based shenanigans?
hellotomyrars·3 anni fa
iOS attempts to do this but if we’re following the assumption of such an attack it would just be seen as a step in the chain of the attack. I think the likelihood of an attack via this method is incredibly low personally.

Though I always have a power bank on hand, not for security, but for convenience. Much more preferable to the physical limitations of a wall outlet.
pluralistic·3 anni fa
how much data can be transfered using usb cable?

real usage per second, per minute, not theoretical

can the charging stations resume data transfer if i unplug and replug at random times ?

i dunno, when i want to dump gb of data from my phone, it takes hours ... so yeah maybe i should stay at a random charging station for hours to ensure all data transfered :D
nso·3 anni fa
Maybe you would stay connected that lone at say, a business lounge waiting for a plane.
karmakaze·3 anni fa
USB-C uses data to negotiate charging. A dumb USB type-A cable with no data wires would be safe against bad data.
IX-103·3 anni fa
USB in general specifies negotiation for charging, regardless of the connector. But most chargers are too lazy to implement the negotiation and instead just always provide their maximum amperage, so something with no data wires should work regardless.
dboreham·3 anni fa
Just in time for the phone vendors having fixed all their USB vulnerabilities?
jFriedensreich·3 anni fa
pro tip: if absolutely necessary at least only charge your power bank on a public charger and then charge the phone on the power bank but not at the same time.
pageandrew·3 anni fa
Is it even theoretically possible to have data passthrough a power bank?

I don’t know much about USB, but I’d imagine that only the power delivery pins are connected to anything, right?
vlod·3 anni fa
If I power off my phone, I assume it will be okay?
adastra22·3 anni fa
No.
RcouF1uZ4gsC·3 anni fa
This might be a big advantage for wireless charging. Although it can be slower than a USB charger, there is no risk that it will be doing something other than charging.
rtsil·3 anni fa
Or just replace them with electrical outlets. Why we are using high-risk systems in public infrastructures when low-tech, low-risk systems exist is beyond me.
rtkwe·3 anni fa
You can provide a lot more USB outlets than it's feasible to provide regular AC outlets. If they're USB A outlets you know they're only ever going to draw 7.5W give or take max so you can slap many more of them on a single circuit than you can AC outlets where people could plug in a bunch of 60+W laptops or USB-C PD chargers.
moritonal·3 anni fa
Firstly, I believe the QI scheme includes a process for communication, mostly restricted to "how much power should I send" for now, but it's obvious this will be expanded to more functionality as people basically replicate NFC over it.

Second, I'm still waiting to see a QI charger than just pumps 100W of power straight through any piece of metal above it. Don't know what would happen, but I naively imagine forced induction would brick most devices.
spacetime_cmplx·3 anni fa
>I'm still waiting to see a QI charger than just pumps 100W of power straight through any piece of metal above it

A charger so good it's the last time you'll need to charge
amluto·3 anni fa
As I understand it, Qi has a digital communication channel from the phone to the charger but no digital communication from charger to phone. So any exploit over Qi would have to somehow compromise the phone’s charging system with just analog field variations (frequency, field strength, or whatever else the phone measures).
im3w1l·3 anni fa
Hard disagree. If physical proximity was all it took to compromise a phone everyone would immediately protest.

USB requires an active action. Blaming the user is still wrong, it really should be safe to charge in a mall or get a file from your friends usb stick. But it's less obvious so here we are.
makeitdouble·3 anni fa
As most phones now have NFC, this would be more of a new vector than a safer procedure IMO.

I am not sure how many places properly accept non authentified (no phone unlock nor biometrics) contactless transaction in the US, but it's a thing at least in Japan.

I'd also assume the non secure area is readable without any unlock either way, but might be wrong.
seanmcdirmid·3 anni fa
You can do unauthenticated with your watch assuming you’ve authenticated it at least once and haven’t removed your watch from your wrist since. Also, you can unlock your car with with your phone unauthenticated, or even if the battery is out.
imp0cat·3 anni fa
Couldn't you just plug the wireless charger to the public charging port and then charge your phone wirelessly off of that? An airgapped solution. :)
expertentipp·3 anni fa
Additional advantage is you can warm your coffee by putting the cup on the phone, for all the hours it will take.
JustSomeNobody·3 anni fa
Only need a 6 hour layover to take full advantage.
bkeating·3 anni fa
Go, Mike!
chaorace·3 anni fa
Just FYI: this is referring to USB charging stations, not EV stations.

This advice has been standard in cybersecurity training for a long time now and frankly I'm surprised that this is the first time the FBI has felt the need to issue an advisory on the subject.
LinuxBender·3 anni fa
I have been somewhat curious if/when this will occur with EV stations as well. What controls might one gain over a car from the charging port on the assorted makes/models? Even hacking aside I am curious what PII, telemetry and tracking data could be pulled from the charge port.
i-am-gizm0·3 anni fa
At least on AC Level 1/2 charging (using just a J1772 port) the signalling is pretty rudimentary if I remember correctly. Something along the lines of the car puts out a square wave on one of the signalling pins and based on the resistance it sees it knows whether it's plugged in and how much power it can charge, so there isn't much room (dare I say any) way to interact much with the car through that port. I don't know how DC charging works but I assume there's a little bit more smarts to it. Tesla on the other hand is a completely different story.
rtkwe·3 anni fa
The really high voltage fast chargers as far as I understand them connect directly to the battery bypassing the cars battery charger to directly charge the battery not sure how much communication there is on those channels though.
vegardx·3 anni fa
You're probably thinking about the on-board inverter, it's often referred to as a battery charger. The battery management system is entirely within the car, and the car will tell what voltage and amperage to deliver to it.

The design of CCS2 is actually quite nice. There are pins for singalling that, if broken, will immediately shut down power delivery. This means that you can just pull the cable out safely, without risking arcing or electrocuting yourself.
rtkwe·3 anni fa
My understanding was it also bypassed the BMS but I may have confused what they were saying it's been a minute.
rlpb·3 anni fa
When I've done DC rapid charging on my Leaf, I noticed that the charger knew the battery percentage reported by the car. That seems likely to be digital signalling to me, so suddenly there's the risk of buffer overflows and suchlike.

I've not seen this on AC, but when I looked into this previously I got the impression that there exists a digital signalling protocol established by modulating something ignored by older cars and chargers that can be optionally supported. If that's the case then there's potentially attack surface there, too.
fnordpiglet·3 anni fa
That’s why I only buy cars written in rust.
dylan604·3 anni fa
brings new meaning to the term "rust bucket"
em-bee·3 anni fa
you must be a fan of oldtimers then. since most new cars are made with stainless steel, aluminum, carbon fiber or and other materials.
[deleted]·3 anni fa
judge2020·3 anni fa
The CCS standard has "HLC - High Level Communication", which is available for both AC and DC charging. While i'm not interested in paying $700 for ISO 15118, I imagine clients [cars] are set up to break the current flow if anything out of the ordinary happens or if the input power doesn't match what the station is saying it's sending in an instant.
13of40·3 anni fa
I wonder if dealerships and other auto shops behave like every other company today, and when they plug into your OBD2 port they just hoover up as much data as they can and sell it off.
Forbo·3 anni fa
Even if it's not available via the charger they'll just do this with ALPR or their proprietary apps. Gotta love surveillance capitalism.
mcculley·3 anni fa
It is not the first time the FBI has warned about this (see [0] for example, or do a Google search with date filters).

This is the Denver field office maximizing Twitter engagement by repeating themselves. (Maybe that is not a fair way to view it, maybe the FBI should repeat advisories often.)

[0]: https://www.fbi.gov/contact-us/field-offices/portland/news/p...
causi·3 anni fa
Seriously need an edited title then. Original title is wildly misleading.
dwringer·3 anni fa
I agree - the only "public charging stations" I see on any kind of regular basis are EV charging stations. It's been a couple of decades since I remember seeing a USB one, not that I doubt their existence.
ghaff·3 anni fa
They're ubiquitous at conferences and in many trains, planes, airports, hotels, etc. Maybe you mean something different by public but USB charging stations that you don't control are very common especially in the context of places travelers are in. They're probably pretty common in schools, libraries, conference rooms, etc. as well.
TillE·3 anni fa
They're in basically every major airport, as well as most modern airplanes.
hinata08·3 anni fa
I thought it was a wild clickbait and didn't even go to read the article. I read it as "EVs are dangerous according to the FBI, use V12 engines to avoid hackers"

but yeah, public charging stations *for phones* are terrible.

I used one of them once at a conference, with ADB enabled on my phone. I thought it would just feed me power, as not data collection was specified on the station.

but it enabled a data connection.

So I used a public station once, and I'll never do it again.
giancarlostoro·3 anni fa
The moment I first saw one I knew something was wrong.