Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday December 13 2019, @11:34AM   Printer-friendly
from the free-charging-here! dept.

Submitted via IRC for TheMightyBuzzard

If you connect your devices to anything public, be it wireless or wired Internet, or USB power charging stations, it is best to assume that these are not safe. While you can protect your data in several ways, e.g. by using a VPN when you need to access the Internet while connected to a public or untrusted network, it is sometimes the case that simple things are overlooked. In November 2019, Los Angeles' District Attorney's Office published an advisory to travelers about the potential dangers of public USB ports. These ports could be used for an attack that has been called juice-jacking. Juice Jacking basically allows attackers to steal data or infect devices that unsuspecting people plug into specifically prepared USB power stations. The Distrcit[sic] Attorney's Office recommended that travelers use AC power outlets directly, use portable chargers, or charge devices in cars instead of using public USB chargers. While that is sound advice, it may not be possible sometimes to use these alternatives. That's where the Original USB Condom comes into play.

Source: https://www.ghacks.net/2019/12/09/usb-condoms-are-a-thing-now/

Is "juice jacking" really a thing though? Have any of you soylentils out there actually seen a rogue USB plug in the wild?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Friday December 13 2019, @02:28PM (8 children)

    by Anonymous Coward on Friday December 13 2019, @02:28PM (#931700)

    Android phones won't exchange data without specifically being authorized by a very large and weird-looking popup. It would depend on either exploiting a vulnerability (and I don't know of any such vulnerabilities; maybe in some ancient Android version?), or some pretty dumb user behavior. While it's not possible to rule out dumb user behavior, any user who would bother to bring their own cable just to defend against something like this is certainly not going to mindlessly click through the very obvious warning.

    If you do still want to worry about this, you don't need a twee little "USB Condom." There have been power-only USB cables sold for years, since you don't need as many conductors in the wire and a lot of cables are just used for power and nothing else, plus you can use them to split the power connection among multiple devices without needing to implement the complicated hub protocol.

    I'm less familiar with iPhone, but given Apple's greater focus on privacy (and the general hurdles involved in doing much of anything with an iPhone), I'd expect them to be at least as good as Android in this department.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 3, Informative) by RS3 on Friday December 13 2019, @03:39PM (6 children)

    by RS3 (6367) on Friday December 13 2019, @03:39PM (#931723)

    None of my 3 Android-based phones does anything when I plug into a computer's USB port. Computer gets access immediately. No popups, no nothing on the phone. Well, they comes out of screen blank, but nothing else. Android 4, 5, 7

    • (Score: 2) by DeathMonkey on Friday December 13 2019, @06:13PM (1 child)

      by DeathMonkey (1380) on Friday December 13 2019, @06:13PM (#931783) Journal

      Interesting..

      I have an HTC and it definitely requires the approval.

      • (Score: 2) by RS3 on Friday December 13 2019, @11:57PM

        by RS3 (6367) on Friday December 13 2019, @11:57PM (#931871)

        One is Huawei, one is Asus, and one is Samsung.

        Now I'm pretty sure I have them all in "developer mode", so maybe that's the difference?

    • (Score: 2) by stormwyrm on Saturday December 14 2019, @01:03AM (1 child)

      by stormwyrm (717) on Saturday December 14 2019, @01:03AM (#931891) Journal
      My current phone (Android 10) won't even show the pop-up immediately. There's a notification that you have to click on in order to get the pop-up to show so you can enable USB data connection. Same was the case for my previous phone (Android 7 and later 8.1). The phone before that (Android 5 and 6) showed the pop-up. Maybe you enabled USB data connection on your computer one time from the pop-up and your phones remember your computer as a trusted device. But then again all but the last of my phones were Nexus devices so...
      --
      Numquam ponenda est pluralitas sine necessitate.
      • (Score: 2) by RS3 on Saturday December 14 2019, @01:17AM

        by RS3 (6367) on Saturday December 14 2019, @01:17AM (#931895)

        Oh, thank you, you triggered my memory: "notification". I turn them off globally. Maybe one or two things are allowed through, but mostly nope. I'm guessing that's why I don't get the annoying popup.

    • (Score: 2) by toddestan on Saturday December 14 2019, @03:51PM (1 child)

      by toddestan (4982) on Saturday December 14 2019, @03:51PM (#932059)

      The phone I have will show up as a drive if it's just connected, but until I grant access on the phone the drive is completely empty. So it should be safe, though this behavior does seem like it exposes a larger attack surface than would be necessary. It's running Android 8.1.

      • (Score: 2) by RS3 on Saturday December 14 2019, @05:03PM

        by RS3 (6367) on Saturday December 14 2019, @05:03PM (#932072)

        Yes, absolutely, especially if you turn on "developer mode", and I can't remember, but maybe that has to be on to get filesystem access anyway?

        But I haven't figured out how to get true root filesystem access through Windows USB drive access. I use "adb shell" and manually (cli) copy things to USB Windows accessible directories.

  • (Score: 2) by TheRaven on Saturday December 14 2019, @02:04PM

    by TheRaven (270) on Saturday December 14 2019, @02:04PM (#932037) Journal
    There have been a number of vulnerabilities in bits of the USB stack, but the worst ones that I've seen have been in the firmware of the USB controller itself. This is rarely updated and if there's a buffer overflow then in most SoCs you end up with full access to the AXI bus and can then compromise the host OS. I've seen proof of concept exploits, but nothing in the wild (that said, I haven't been looking).
    --
    sudo mod me up