Submitted via IRC for TheMightyBuzzard
If you connect your devices to anything public, be it wireless or wired Internet, or USB power charging stations, it is best to assume that these are not safe. While you can protect your data in several ways, e.g. by using a VPN when you need to access the Internet while connected to a public or untrusted network, it is sometimes the case that simple things are overlooked. In November 2019, Los Angeles' District Attorney's Office published an advisory to travelers about the potential dangers of public USB ports. These ports could be used for an attack that has been called juice-jacking. Juice Jacking basically allows attackers to steal data or infect devices that unsuspecting people plug into specifically prepared USB power stations. The Distrcit[sic] Attorney's Office recommended that travelers use AC power outlets directly, use portable chargers, or charge devices in cars instead of using public USB chargers. While that is sound advice, it may not be possible sometimes to use these alternatives. That's where the Original USB Condom comes into play.
Source: https://www.ghacks.net/2019/12/09/usb-condoms-are-a-thing-now/
Is "juice jacking" really a thing though? Have any of you soylentils out there actually seen a rogue USB plug in the wild?
(Score: 4, Funny) by maxwell demon on Friday December 13 2019, @11:46AM (3 children)
But are you allowed to show an USB condom on American TV?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Funny) by BsAtHome on Friday December 13 2019, @01:57PM
The ProLife guard will soon enough try to ban it through legislation. All life, natural or artificial, must be allowed to procreate. No humans may intervene.
/s
(Score: 2) by theluggage on Friday December 13 2019, @02:01PM
Plus, I want an instructional video showing me how to put one on a banana (which, as I understand it, is how you use regular ones) - also, if I'm travelling in Africa or South America, will a plantain work instead?
(What!? You put them on your USB cable? Ick, gross!)
(Score: 0) by Anonymous Coward on Friday December 13 2019, @03:39PM
/ˌjuː es ˈbiː/
"a", not "an"
(Score: 4, Informative) by DavePolaschek on Friday December 13 2019, @12:19PM (4 children)
Other people use a ten-minute song of silence [macrumors.com] so their iPhone doesn’t blare the first alphabetical song at them when they plug into their car to charge. Me, I bought a USB condom [davescomputertips.com] years ago, and have it sitting in my truck all the time, because I never want that behavior from my phone.
Never seen anything suggesting that juice-jacking is a thing in the wild, but since I already have a USB condom, when I check into a hotel, I will carry the condom in from the truck and use it if I’m not using my own charger.
(Score: 5, Interesting) by The Mighty Buzzard on Friday December 13 2019, @01:17PM (2 children)
Heh, I just scraped off the contacts for the data pins on one end of a six foot cable. I generally don't want my phone exchanging data over a cable with anything except my desktop.
My rights don't end where your fear begins.
(Score: 4, Informative) by DavePolaschek on Friday December 13 2019, @03:36PM (1 child)
I have a vague memory that the iPhone still needs to send a little bit of data to its charger in order to say "give me all the juice, baby!" Then again, perhaps you don’t have a fruity phone. The condom I bought "supports high speed charging" as far as I can tell. Pretty sure it was under USD10.
(Score: 4, Interesting) by nitehawk214 on Friday December 13 2019, @03:57PM
You are correct, if the D+ and D- pins are not connected, it will only slow charge. However shorting the data pins together enables a "charge only" 1.5A charging port. The "USB condom" is probably an adapter that does this. Even if the host device does try to connect, the shorted together pins will make it receive gibberish.
https://www.maximintegrated.com/en/design/technical-documents/tutorials/4/4803.html [maximintegrated.com]
USB-C has a higher power handshake than that, it does negotiation to choose a higher voltage than 5V. If the "USB condom" could do this level of negotiation, I would be very impressed. It would have to do it twice, between host->condom and condom->device. The thing looks pretty simple, so I suspect its just the shorting the pins technique.
https://www.allaboutcircuits.com/technical-articles/introduction-to-usb-type-c-which-pins-power-delivery-data-transfer/ [allaboutcircuits.com]
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 3, Informative) by driverless on Saturday December 14 2019, @02:41AM
As the above post points out, you've been able to buy these for years, including ones that do the proper silly-walk for higher-power USB charging modes. I use the PortaPow ones, they do the necessary silly-walk, are bright red so you know they're present and in use, and aren't some Aliexpress special where you have no idea whether you're actually getting the protection you're paying for.
(Score: 2) by VLM on Friday December 13 2019, @12:59PM
Hasn't there been a "performance art" exhibit of exactly this at every defcon this decade? Just running from memory here?
(Score: 2) by looorg on Friday December 13 2019, @01:57PM
"Juice jacking" ... are they jacking off when they came up with that name? No I have never seen or heard about them being out in the wild (either of them). I'd be more concerned with "fake" (or hostile) wi-fi hotspots then this, or some kind of (reverse-) usb-killer port being installed then that someone would use a USB charging port to steal all your phone data.
Which reminds me of Bender "juice" jacking on cause it makes him cool ...
https://www.youtube.com/watch?v=1qcZUwl91iA [youtube.com]
(Score: 1, Insightful) by Anonymous Coward on Friday December 13 2019, @02:28PM (8 children)
Android phones won't exchange data without specifically being authorized by a very large and weird-looking popup. It would depend on either exploiting a vulnerability (and I don't know of any such vulnerabilities; maybe in some ancient Android version?), or some pretty dumb user behavior. While it's not possible to rule out dumb user behavior, any user who would bother to bring their own cable just to defend against something like this is certainly not going to mindlessly click through the very obvious warning.
If you do still want to worry about this, you don't need a twee little "USB Condom." There have been power-only USB cables sold for years, since you don't need as many conductors in the wire and a lot of cables are just used for power and nothing else, plus you can use them to split the power connection among multiple devices without needing to implement the complicated hub protocol.
I'm less familiar with iPhone, but given Apple's greater focus on privacy (and the general hurdles involved in doing much of anything with an iPhone), I'd expect them to be at least as good as Android in this department.
(Score: 3, Informative) by RS3 on Friday December 13 2019, @03:39PM (6 children)
None of my 3 Android-based phones does anything when I plug into a computer's USB port. Computer gets access immediately. No popups, no nothing on the phone. Well, they comes out of screen blank, but nothing else. Android 4, 5, 7
(Score: 2) by DeathMonkey on Friday December 13 2019, @06:13PM (1 child)
Interesting..
I have an HTC and it definitely requires the approval.
(Score: 2) by RS3 on Friday December 13 2019, @11:57PM
One is Huawei, one is Asus, and one is Samsung.
Now I'm pretty sure I have them all in "developer mode", so maybe that's the difference?
(Score: 2) by stormwyrm on Saturday December 14 2019, @01:03AM (1 child)
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by RS3 on Saturday December 14 2019, @01:17AM
Oh, thank you, you triggered my memory: "notification". I turn them off globally. Maybe one or two things are allowed through, but mostly nope. I'm guessing that's why I don't get the annoying popup.
(Score: 2) by toddestan on Saturday December 14 2019, @03:51PM (1 child)
The phone I have will show up as a drive if it's just connected, but until I grant access on the phone the drive is completely empty. So it should be safe, though this behavior does seem like it exposes a larger attack surface than would be necessary. It's running Android 8.1.
(Score: 2) by RS3 on Saturday December 14 2019, @05:03PM
Yes, absolutely, especially if you turn on "developer mode", and I can't remember, but maybe that has to be on to get filesystem access anyway?
But I haven't figured out how to get true root filesystem access through Windows USB drive access. I use "adb shell" and manually (cli) copy things to USB Windows accessible directories.
(Score: 2) by TheRaven on Saturday December 14 2019, @02:04PM
sudo mod me up
(Score: 3, Funny) by Runaway1956 on Friday December 13 2019, @03:26PM
Have any of you soylentils out there actually seen a rogue USB plug in the wild?
I'm imagining little rogue USB's running through the fields, multiplying like rabbits, trying to hide from natural predators. During daylight hours, you'll spot them by ones and twos, but come sundown, you can find herds of them, orgying together in the orchard. This is why a herd of them is commonly referred to as an orgy.
You're just messing with my mind, right TMB?
(Score: 0) by Anonymous Coward on Friday December 13 2019, @03:49PM (2 children)
This sounds like just a very short "Charge-only" cable instead of a "Charge-and-Sync" cable. Alternative possibility - just bring a charge-only cable and use that everywhere that's not your actual personal computer. They also have the benefit of keeping your phone from taking over your stereo if you use them in your car.
(Score: 2) by legont on Friday December 13 2019, @05:42PM (1 child)
Why don't they mark the cables separately... Say red and black. Should one patent this?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by deimtee on Saturday December 14 2019, @12:02PM
Make one of the plugs just big enough to have a little hardware switch on it. Label the positions Data and Charge. In Charge position it shorts the data pins together.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 5, Interesting) by Hyperturtle on Friday December 13 2019, @04:41PM (4 children)
Yes
Heck I get paid to put them there, and track which employee was dumb enough to use it on corporate hardware.
if it ends up in someone's home then, well, enjoy the free $10 drive I guess but yow I don't expect anyone to really just plug sticks of unknown origin into their holes, you know? It never ends up like it does in those disney princess movies where things are happily ever after because evil is clearly identifiable.
I've found CDs and other media on the road/median and in stores and bathrooms and stuff. I have an old computer I use to actually plug that stuff in.
All of it except for one thing was not infected with anything. A 4GB CF card I found had a windows XP/2003 era virus on it that would trigger via autoplay when inserted based on the file config for the virus launcher. It was all hidden, but otherwise there was nothing else on it at all. It looked like a formatted blank media card someone lost. I expect it was intended to be used with a DLSR or other camera, or maybe an MP3 player, and would trigger when someone went to copy files to or from it.
I ended up keeping it to use as an example (usually, if anyone heard of such a thing, it was because they read on some tech site that some weird IT people do this sort of stuff to test employees because never is it ever mentioned that a company was compromised this way--without people realizing there's a reason no company is so foolish to state the stupidity of their staff... preventing it or part of the educational aspects of damage control are reasons why I am sometimes paid to do leave these around!)
I've made these things. I've bought them. I've lost them on purpose with the intent to see what happens when they are found.
It doesn't cost much, and a bad person can really reap the rewards if they are looking for dumb young people with cool pictures to steal. It doesn't matter what EULA you agree to or how secure the cloud storage is if you just let something run on your machine with access to all that stuff. Things are getting better and worse as far as that goes--wizards can't save you every time, and many people refuse to be inconvenienced, and... the real danger? this is the thought process most people I've spoken to have had: "wow someones usb drive! I wonder if there are naked pictures on it!"
plugging into some loose ports to recharge their devices never once has been, in my course of work, occured to people as being a problem--and it never wasn't a problem.
Those USB ports all can have some sort of kali linux node or pwnpad or stand alone stuff like a card skimmer that someone else returns to later to ostensibly recharge and sync the data to their own device for wandering off to the next 'outlet' they set up to provide free power.
Most free stuff like this is positive when the good intentions are considered, but really... there is no free stuff. With that in mind, it might be better to spend like $20 on a good external USB battery and even a $15 solar battery charger that can give you unreliable power for those times you don't have any reliable alternatives. I keep both with me in my backpack or bag depending on what I am doing and for how long. Convenience is often the enemy... but spend a few bucks and you'll be the envy of your friends cause you'll be the one with a charger that works on the go.
get a 10000mah battery brick and a 2000mah solar battery charger and you can even recharge the battery for both when you sit around doing nothing with even modest lighting... Or the best option-- you can plug them into the usb chargers you find in the wild and not expose your actual phone/tablet/mp3 player/ or laptop to them...
Don't stick anything somewhere that... well.. health class wasn't wrong about all that stuff, no matter how unfun being responsible with IT related things can be.
(Score: 0) by Anonymous Coward on Friday December 13 2019, @08:10PM (2 children)
My workplace did something like that with a URL in an email. Lots of nerds used wget in a VM or on an exotic architecture, hoping to capture some sweet malware. We all have IDA Pro, so we came prepared. The URL delivered 0 bytes, then alerted IT to give us a scolding for being clueless about security.
USB devices are a bit more threatening of course. They could contain explosives, nerve gas, or biological agents.
(Score: 2) by maxwell demon on Saturday December 14 2019, @01:09PM
Or simply fry your electronics when inserted.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Hyperturtle on Monday December 16 2019, @02:38PM
Look up the "USB killer". People have made USB sticks that are engineered to charge a capacitor that is way out of spec and then release it to zap the usb port/controller. I imagine by now someone has made cables that can do that too.
I really wanted to make one, but the reality is that someone I know at some point will find it and plug it in even if I label it. And that there are really no good reasons to have one of those laying around--they're intended for destruction, and generally self-destruct. A successful test means dead hardware--as does an accidental deployment...
(Score: 2) by RS3 on Saturday December 14 2019, @05:08PM
As a rule, I turn OFF all "autoplay". I can't figure out what MS is thinking when they do stuff like "autoplay", especially when it's ON for all drive letters by default.
(Score: 2) by All Your Lawn Are Belong To Us on Friday December 13 2019, @07:23PM
I've seen rouge ones! [amazon.com]
This sig for rent.
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @12:50AM
Why no "Previously on SN" list here?
LA Warns of ‘Juice-Jacking’ Malware, but Admits It Has No Cases [soylentnews.org]
USB Type-C Authentication Program: Protection or DRM? [soylentnews.org]
Clever USB Cable Can Accept Remote Commands [soylentnews.org]
USB Condom: syncstop.com