
USBCondom - lelf
https://www.crowdsupply.com/xipiter/usbcondom
======
flavor8
The board looks a little fragile. A tool like this (which is going to be used
on the road) needs to be as solid as possible. For $10/unit it seems like they
could afford to at least give it an epoxy surround.

~~~
skrebbel
I think it's on purpose. Looks cooler, gets attention of your fellow
coffeeshop nerds.

~~~
IshKebab
I doubt it - it's because it's pretty trivial to make a PCB like that with
components - one could design the PCB in maybe an hour and then manufacture is
really easy and cheap - probably about $1 each for those boards even in low
numbers (check OSHPark.com).

In contrast, making a case is much much harder. There really aren't any good
low-volume case making methods. Injection moulding is out. Machining from
aluminium is an option here, but it's very expensive. There's resin casting,
but that's difficult and I don't know if it's really suited to manufacture.

Honestly, making the case is 10-100 times harder than the PCB (for such a
simple one like this anyway).

~~~
skrebbel
I say "looks cooler" and you respond by saying that it's easier to make. Since
when does "cool" equal "difficult to produce"? And why didn't anyone tell me
about that rule in high school?

~~~
HeyLaughingBoy
He's saying that they didn't do it because it's cool, they did it because it's
harder to make a case than a PCB. And I agree. It's insane how many "I made
this board, how do I get a case for it?" posts I see online from n00b hardware
hackers. An engineer with experience will consider packaging from the outset.
Thinking about it after the fact can make the manufacture much more difficult
and expensive.

That said, I think $10 is a good price for something like this. I, personally,
would look for a corporate/industrial application that would justify a price
10x that.

------
lucb1e
Or you just cut two wires in a normal USB cable. No need to buy condoms!

I think the board is because some power sources might go "hey I'm leaking,
there is no device but I draw power!" and cut it off, but I only ever heard
about it and never encountered it. My USB ports nicely power fans without ever
having a data connection to anything.

~~~
LeoPanthera
Cutting the wires will cause iDevices to charge at 500mA only.

~~~
lucb1e
Okay that explains then: Apple needs to be a bitch about things again.

~~~
joosters
USB charging ports use the data pins to signal a request for more than 500mA.
If you disconnect the data pins, how can any device (apple or anyone else) get
more?

~~~
serf
The charge pins on a battery charging input could be used as a makeshift i2c
to communicate with a smart battery chipset, thus communicating the same
intentions ("hay! give me more!") without any additional wiring or need for
access to the USB subsystem, while making use of the USB form-factor that's so
ubiquitous today.

if lithium batteries weren't so problematic when overcharged you could float-
charge everything pretty efficiently, then you wouldn't even need a management
system.

Our current way of doing things is probably here to stay, though.

~~~
joosters
Since the whole concept of this 'usb condom' is to physically disconnect the
data communication, re-designing the protocol to use the remaining pins as a
data channel would defeat the whole point.

~~~
serf
No, the point in the redesign of the protocol would be to eliminate the need
for a 'USB condom'.

A data channel isn't a data channel. USB is designed to be widely used by many
industries, as such the standard has provisions for many use-cases. A battery
data channel is only for the charging equipment to communicate with the
battery's chipset a limited amount of parameters. The data being transferred
is incredibly limited, and can thus be sanitized easier when compared to USB.

A protocol designed in such a way would also be easier to test, as the scope
of vulnerabilities would be much more limited than a general purpose data
channel.

Regardless, it was merely a possible answer to

> If you disconnect the data pins, how can any device (apple or anyone else)
> get more?"

and really wasn't meant to be a valid product or concept. Just a fleeting
thought.

------
cnvogel
Or in software (Linux):

    
    
        # cd /sys/bus/usb/devices
        # for n in usb* ; do echo 0 >$n/authorized_default ; done
    

...so that no drivers or userspace programs are allowed to communicate with
any newly connected devices.

[https://www.kernel.org/doc/Documentation/usb/authorization.t...](https://www.kernel.org/doc/Documentation/usb/authorization.txt)

Of course this only prevents the USB host, you'd have to disable all USB-
gadget daemons on your android phone to not have the charger tinker with the
phones's data.

NOTE/added: I just realized that the main purpose this is marketed is to
protect the phone's data. I'd me more worried about the computer if someone
asks me to lend some juice...

~~~
mindstab
yeah but then there is badusb

[http://www.wired.com/2014/07/usb-security/](http://www.wired.com/2014/07/usb-
security/)

which attacks the usb firmware on devices. ANY data communication and your usb
device/port itself can get hacked

the usb condom might actually prevent that,

~~~
Dylan16807
Are you sure? As far as I could tell that thing was about messing with the
firmware after you've already gotten control through normal communication.

------
ulfw
Or you could buy one of the charge-only USB cables I saw all over Asia. They
are a bit cheaper than the normal data-carrying ones as they have fewer wires.

~~~
kken
This!

I got lot's of these things from portable usb batteries.

------
petercooper
Electronics people: why are there any components in this at all? If it's just
about disconnecting certain pins, couldn't it just pass the power lines
through and be half the size without a PCB at all? For example, it could
easily be a cable missing two wires, right? (Note: I'm an idiot when it comes
to electronics, so I'm genuinely interested.)

~~~
xg15
According to the USB spec, a device must complete a protocol handshake and
declare a desired voltage level before the host is allowed to supply anything
more than a minimum voltage. In case of the USB condom, this handshake would
have to be executed by the condom.

I'm not sure how widely implemented this behavior is for "dumb" USB chargers
though, as opposed to actual hosts though.

But it might be that they want to preserve compatibility with actual hosts, in
case that you i.e. want to charge on a public PC. Or they want to make sure
that even if your charger is actually a disguised malicious device, you can
still use it as a charger, which would be kinda ironic.

~~~
lockedusb
That's correct. LockedUSB adapter disconnect the data lines however it have an
internal controller that still negotiate and complete the USB handshakes so
the device can charger faster while being safe.
[http://www.lockedusb.com](http://www.lockedusb.com)

------
nly
What _are_ the fundamental flaws in the USB protocol that make it insecure? I
know firewire allows for DMA, but I didn't think USB, besides being a complex
serial protocol, had any intrinsically unsafe features?

~~~
joosters
It's not the protocol but the fact that USB devices are just too trusting.
Plug your phone into a USB socket and you've little protection against it
communicating with whoever is on the other end of the USB connection.

~~~
collyw
Is this not why my phone asks me what I want to do when I plug it into the
computer? USB debugging mode, charge only, and another option or two that I
can't remember right now. If I select "charge only" will I be secure in the
same way?

~~~
ZoFreX
This really varies from phone to phone, sadly. When I plug mine in I am only
given a choice of which protocol to use to give the host computer access to
all my files (and it connects using the default one as soon as you plug it
in).

------
ColinWright
See also the _extensive_ discussion from a year ago:

[https://news.ycombinator.com/item?id=6379272](https://news.ycombinator.com/item?id=6379272)

------
fencepost
There are multiple projects/products out there for this, some of which are
linked here and some of which are not. Not all are currently available. There
was a fair amount of discussion and useful information in a Brian Krebs
article: [http://krebsonsecurity.com/2014/06/gear-to-block-juice-
jacki...](http://krebsonsecurity.com/2014/06/gear-to-block-juice-jacking-on-
your-mobile/)

USB Condom: ~$10, available. Tends towards either a bare board with USB
connectors or that board with plastic shrink tubing on it.
([https://www.crowdsupply.com/xipiter/usbcondom](https://www.crowdsupply.com/xipiter/usbcondom))
([http://www.usbcondoms.com/](http://www.usbcondoms.com/)) (probably an
earlier version but the same person:
[http://int3.cc/collections/frontpage/products/usbcondoms](http://int3.cc/collections/frontpage/products/usbcondoms))

UmbrellaUSB: ~$12, available soon? More polished/finished looking than the
USBCondom, got their information on voltages from the USBCondom folks (see
comments in the Krebs article above). Working on fulfillment of their
Kickstarter (funded July 3).
([http://www.umbrellausb.com/](http://www.umbrellausb.com/))

ChargeDefense: ~$??, a "coming soon" page, a picture of a prototype, and maybe
more in September.
([http://www.chargedefense.com/](http://www.chargedefense.com/))

LockedUSB: ~$20, available. More technical details available, more expensive
and very blocky looking - expect it to block any adjacent ports. Technical
information indicates that the single unit should work with both Apple and
non-Apple devices ([https://lockedusb.com/product/lockedusb-adapter-charger-
fire...](https://lockedusb.com/product/lockedusb-adapter-charger-firewall-
power-optimizer/))

Practical Meter: ~$20, available. Protects ONLY when used with their optimized
3-in-1 charging cables otherwise passes data through. Provides a 5-bar
indicator of current. ([http://www.powerpractical.com/product/practical-
meter](http://www.powerpractical.com/product/practical-meter)) more details in
their kickstarter ([https://www.kickstarter.com/projects/david-toledo/the-
practi...](https://www.kickstarter.com/projects/david-toledo/the-practical-
meter-know-your-power))

PortPilot: ~$60, not yet available. Much more expensive, MUCH more
informative, switchable between data/no data. Includes a display showing
possible and actual power draw, etc. Almost a development/diagnostic device.
([https://hakshop.myshopify.com/products/portpilot](https://hakshop.myshopify.com/products/portpilot))

At least 3 listed below via Amazon (2 in UK): PortaPow $7 (2 versions,
www.amazon.com/gp/product/B00GC4AJOU, looks like a "beat you to market"
device), and Pisen ~$1.70
([http://www.amazon.co.uk/dp/B00E8ALIYU](http://www.amazon.co.uk/dp/B00E8ALIYU)
and
[http://www.amazon.co.uk/dp/B00E8AJ41E](http://www.amazon.co.uk/dp/B00E8AJ41E)).

~~~
andreyf
There is also:
[http://www.amazon.com/dp/B00EB3LRAE/](http://www.amazon.com/dp/B00EB3LRAE/)

Which apparently signals to the charging device to output higher amperage, as
cutting the data connection will make some devices only provide 0.5 amps. Not
sure why this one is branded "for Galaxy", as the charging device shouldn't
really matter.

~~~
rahimnathwani
Because iPads expect a different voltage, so the device has different
resistors inside. The one I used for my original iPad is by the same brand,
but says 'for iPad':

[http://www.amazon.co.uk/dp/B00E8ALIYU](http://www.amazon.co.uk/dp/B00E8ALIYU)

------
readerrrr
Looks like this is equivalent to a dedicated usb charger.

There should be an option to enable data transfer, currently you have to
physically remove it.

I would love to have something like this, if it enabled my devices to be read
only; some usb flash drives have a physical button to enable that.

~~~
almost
Enabling for read-only in the general case simply wouldn't be possible. The
device would have to know every USB protocol that could possibly be spoken and
which commands are for reading and which for writing (and what to do with
commands that do both).

You could maybe make now that only worked for USB storage devices and only
allowed reading, but it would likely be complex and have other downsides (lack
of performance and compatability issues probably) that would make it not worth
it.

~~~
xg15
This would basically be a packet-inspecting firewall for USB instead of IP. I
agree that this would pose a number of technical challanges as a lot of the
tools and optimizations we have in IP stacks don't exist for USB, but I don't
see how that would be principally impossible.

In fact, as there is a lot more standardization in USB profiles than in IP
protocols, it might even be easier. I.e. if you just inspected messages of the
mass storage profile and blocked everything else, you might already get pretty
far. I agree that the performance problem would stay though.

~~~
almost
I don't think you could make a IP firewall that enforced read-only either, at
least not in a general case.

~~~
btgeekboy
You'd have to have knowledge of what protocol was being spoken. Otherwise, you
don't know of if a packet going back the "wrong" direction is a control
mechanism (request for data, flow control, etc) or data itself. In terms of
ethernet, you could possibly do UDP, but you lose any sort of error handling
or flow control.

------
geuis
Honestly the Wired quote is a much better summary and gets right to the point.

"Many public locations now offer USB charging stations, but it's a trivial
task to modify one of these to allow an attacker to access your data.
Int3.cc's device cuts off access to the data transfer pins on the USB port,
while still permitting access to the power supply."

Way too many words on that page before just getting to the damned point.

------
lazerwalker
It's worth noting that this is unnecessary for iOS devices, where plugging
your device into an unknown USB port prompts you to either "trust" or "not
trust" the computer in question (with "not trust" disabling data transfer).

~~~
TeMPOraL
Do you trust your "trust" and "not trust" settings? Are you sure that there
are no backdoors in there, or bugs that could still lead to device getting
hacked?

~~~
lttlrck
Do you trust your (USB) condom?

~~~
TeMPOraL
Honestly? No. There's a bit too much electronics in that one for my taste. I'd
happily trust the one designs of which I audited, and board I soldered myself.
But until I get over to doing this, I'll be stuck with just cutting data
wires.

EDIT: I retract that. From what I can tell, it's just three SMT resistors on
that board. So it seems fine to me.

------
mindslight
Mobile USB charging ports (as found in airports etc) are more of a gimmick
than anything else. A shoddy one will easily damage your device, and if you're
constantly plugging into different ones, that seems like just a matter of
time. Plus, an unknown one will most likely just put out 500mA (slower
charging), and USB A connectors aren't made for high insertion cycles so
expect flaky connections. Plus you still have to carry the bulkiest part (the
cable) so you still need kit.

I personally just carry a three way AC power splitter cube while traveling,
which gives me enough ports for laptop+phone+whomever I ask to share with.

------
chargedefense
ChargeDefense's website is live and we are taking pre-orders. We have our
Juice-Jack Defender (500mA) for $12 and our Juice-Jack Defender Turbo (1A) for
$15. We have volume prices and can do customized case with your company colors
and company logos. ChargeDefense also had a array of other products, wall
charges, battery pack, and cables. We will start shipping orders out this
month. Please visit our website for more information.

------
classicsnoot
In terms of a protective cover/case, maybe there is a cheap, everyday item or
container it would fit into nicely. I put pen springs around all of my cable
heads.

------
sirwolfgang
I feel someone should point out that the iPhone charger uses the data lines to
basically ask for the available amperage, and charger faster if the charger is
"iPhone compatible". So something like this will still work for iPhone but it
will force it to charge much slower then it would otherwise.

> [https://learn.adafruit.com/minty-
> boost/icharging](https://learn.adafruit.com/minty-boost/icharging)

------
shimon
Seems like you can already get similar stuff elsewhere for cheaper and with a
little plastic around the PCB: [http://smile.amazon.com/PortaPow-Fast-Charge-
Blackberry-Char...](http://smile.amazon.com/PortaPow-Fast-Charge-Blackberry-
Charging/dp/B00GC4AJOU/ref=sr_1_2?ie=UTF8&qid=1408799798&sr=8-2&keywords=usb+condom)

~~~
Thiz
Exactly, and for just $6.99

Not adding the plastic is being lazy.

------
sbierwagen
We resell something similar, from DFRobot: [http://www.robotmesh.com/usb-
power-detector](http://www.robotmesh.com/usb-power-detector)

One of the ports has the data lines connected, the other port doesn't, so it
could be used as a USB condom.

------
ufo
I wonder if it would be possible to use a similar system to make a usb hard
disk read-only. This would make it easy to avoid malicious computers
transferring pesky autoexec.inf files and things like that.

------
djrogers
I use a $10 usb 'lipstick' battery for the same thing - it charges itself and
the phone, no data. Plus I get a free battery to charge my phone when there
isn't an outlet available...

------
Springtime
Had hoped from the title the product would be a way to switch a USB drive from
read/write to enforced read-only mode to protect from malware on unknown
hosts. Would be a nice product in itself.

------
Sephr
I'd pay more for something like a "smart usb condom" which does allow data but
only just for power negotiation, so that my devices can still negotiate for
higher power when available.

------
yoran
$10 is expensive for such simple electronics! I understand that the price of
the first piece is the highest, but if this gets mass-produced I think the
price can easily drop to something like $1.

~~~
rythie
That assumes a massive number of people want this. As it is only geeks
understand the risk and even fewer want/need to protect from it.

------
srslack
Be sure to check out [http://int3.cc/](http://int3.cc/) Ridley's community
project, and watch his talks if you haven't seen those.

------
MAGZine
I can't help but wonder if we'll see USB condoms that help to protect against
spying through EM/power draw changes, i.e. to spy on decryption activities.

------
nyar
If I can get a flash drive for $10 I should be able to get this for <$5. I'll
wait until the novelty wears off and get it for $1 from china, on Ebay.

------
dbbolton
Couldn't a person just cut the green and white wires in their charging cable
if they were concerned about this?

------
guelo
If you're going to carry this around why not just carry a wall charger
instead?

------
tomphoolery
Oh...I thought this was a...um...

Never mind.

~~~
ihsanyounes90
:0 ok it's another sh __t

------
mayuro
Did no one else get that it's a joke?

~~~
daledavies
Is it a joke? IMO the name is bad and would put me off using it in
professional/business situations, but everything else about the project seems
serious to me.

