
USB Condoms - lukashed
http://usbcondoms.com/
======
c-oreills
The sales page [1] has a bit more info on what these actually do.

[1]
[http://int3.cc/collections/frontpage/products/usbcondoms](http://int3.cc/collections/frontpage/products/usbcondoms)

~~~
nyrina
Is it just me or is this a bit.. Over the top?

I've never put my phone into something to charge and thought "Hey, they might
steal my data".

~~~
tammer
"The General Assumption of Security is:

The attacker is smarter than you, he has a bigger computer, he knows your own
software better than you, and he is after you, specifically."[1]

[1]:
[http://security.stackexchange.com/a/19000](http://security.stackexchange.com/a/19000)

~~~
mchanson
Well I do use a 11 inch laptop, so most computers are bigger than mine. Better
go get a second roll of foil!

~~~
lostlogin
And if its like my wife's 11, the 64gig solid state would make getting all the
data off easy and fast. Hope they like Breaking Bad.

------
peterwwillis
Two things:

1\. The data lines can be very important in regulating power output for
different devices, and there are different maximums for different versions of
USB. Some devices require data communication to charge. Some require
proprietary protocols. Implementing Apple product charging is somewhat
convoluted, for example, and has changed over time.

2\. A friend of mine is a computer engineer, and tells me that correctly
implementing USB in hardware is incredibly difficult. It's possible that
devices like these might be skimping on parts of the spec to more easily get a
working product out the door.

~~~
charliesome
> _Implementing Apple product charging is somewhat convoluted, for example,
> and has changed over time._

It is? I've never had any problems with cheap AC to USB power adapters.

~~~
mbreese
I think they are referring to the higher power ipad charging that pushes more
amps down the line than the spec calls for. There is some kind of trigger used
to tell the charger to send more juice. This device will probably cause that
to not work. So, an ipad on this would only charger at the standard/lower
rate.

~~~
megaframe
The trigger is just grounding the two inner data pins together. This is ok
since the data pins are loose pull up so even if the device tries to send data
on something with those shorted no damage will occur.

~~~
mbreese
Right, but my point is that this device won't work with those 'high current'
charging devices (at the high current, it will only will only send the
standard amps). Unless they included the logic to test this, which, I suppose,
is possible.

------
Piskvorrr
Even easier, although not as nice-looking: get a common off-the shelf USB
Y-cable, plug the power-only male into computer, plug phone into female
outlet; done. See e.g. [http://easyshop.kiev.ua/images/shnuri/shnuri/Usb-y-
power-cab...](http://easyshop.kiev.ua/images/shnuri/shnuri/Usb-y-power-
cable.jpg) for an illustration what the cable looks like.

(I have been doing this to charge my phone, as even the USB mount dialog
confuses some apps)

~~~
aestra
Dead link.

~~~
Piskvorrr
Hmm, weird. Just try searching for "USB Y Cable" images, lots of results like
these will pop up:

[http://www.everythingusb.com/images/list/apricorn-aegis-
bio-...](http://www.everythingusb.com/images/list/apricorn-aegis-bio-usb-
cable.jpg)

Basically, it's a USB extender cable, with an extra pair of power wires
soldered on and terminated in a USB male header - the original use is for
power-hungry disks, where you'd plug both the male headers into the computer,
increasing the available power (as USB 2.0 can only give 500 mA through a
single port, per spec), at the cost of hogging two USB ports. It can be re-
used as a USB condom as well.

------
hwh
For those who didn't click through everything: This devices is an adapter that
cuts the data lines for a USB connection.

Such a device will most probably restrict the device (if it properly
implements charging) to a maximum charging current of 100mA. The data lines
are used for identifying the maximum current allowed.

~~~
Kliment
You can stick a resistor on the data lines to pretend to be a high-power
charger.

~~~
hwh
Or implement other identification mechanisms that exist or might evolve. Yes.
But in the same run, that might take too much from the port you plug it in
mistakingly. If you don't trust the port, you will often not even know what it
is. It's probably safe to assume it will indeed give you 500mA (when it's in
the device or a powered hub). What about the 1500mA ones?

That said, if one desperately needs to charge a battery, one is likely to take
even 100mA. Cutting two lines of a cable doesn't seem that hard and ugly
compared to a un-encased PCB, though.

~~~
Kliment
What? A patched-together table is much uglier than a bare PCB, particularly
with nice layout.

~~~
michaelt
Depends if your use case involves coming into contact with anything
conductive.

------
ChuckMcM
I heartily approve! The 'juice jacking' discussion
([https://news.ycombinator.com/item?id=4951712](https://news.ycombinator.com/item?id=4951712))
was calling out for something like this. I hope they sell a zillion of them.

------
rabble
How much do they cost? They're sold out now so they don't list the price. Does
anybody know how much they run? Seems like a really good idea to me, there are
lots of known USB hacks for phones and somebody smart could probably find away
to get the trojan back up on to the person's primary computer.

------
benjamincburns
Nifty idea. If you want to make it even better, have it simulate the
iPhone/iPad charger ID circuitry so that I can charge my iPad off any old USB
charger (provided it's rated high enough).

Edit: Actually, scratch that. Leave the data lines connected, but "short" them
to the V- line (or shroud, should hopefully be the same thing) with a small
capacitor to act as a low-pass filter. I don't have the specs in front of me,
but it should be easy enough to filter > 1Mhz down by 3dB and still keep the
DC "slew rate" enough to properly ID a charger.

~~~
MertsA
This is how this USB condom should have been made while making sure to use two
separate capacitors instead of just shorting the data lines together. The only
problem with this approach is that it's physically possible to make a special
USB host that pumps enough current down the data lines to fill up that tiny
capacitor every cycle. Might want to throw in an inductor for the extra
paranoid.

~~~
benjamincburns
It depends on the size of the capacitor. And even with smaller capacitors, any
device which is capable of producing a signal strong enough to overcome even a
simple passive 3dB filter well enough to get through the USB handshake, let
alone actual device operation, would almost certainly be quite large as
compared to a regular charger.

Adding an inductor would screw with things, but if we're being _really_
paranoid here, active circuits can measure the resonant frequency of the line
and overcome it. Or, even if we're not being paranoid, you've now given
someone a nice RCL trampoline to bounce a nice high current into your phone's
USB data lines.

There are a few ways to protect against all of that if you want to be really
paranoid. To start, you could go with a higher order active filter built from
a cheap op-amp circuit.

More complex varieties could include the use of a tiny 8-bit uC programmed to
control a digital pot on the protected side, and an optoisolator somewhere in
there just in case there's some weird failure mode which causes a signal path
to short from protected to unprotected. The benefit of something like this
would be that the controller could also control a light or buzzer to alert the
user when a signal is detected on the "unprotected" side.

Cheapest and most reliable might be to pump the output of a simple RC high-
pass filter into a simple RC low-pass filter (translates to DC bias) then feed
that to a comparator which latches the signal lines open (and sounds an alarm)
if signal is detected. Or better yet, make it normally open and close only
when signal isn't detected.

------
contingencies
_When I feel my batteries are low, I like to get my juice flowing by plugging
in to the nearest socket available. Sometimes, I even get a surface to sleep
on, and when that happens, often I get to load up on media. Sometimes when the
media 's done there's some funny business. Occasionally, I even get a special
powerup for breakfast. There's nothing like waking up in the morning after a
new encounter, wealthier for the memories, fully charged and ready to go._ \-
Anonymous mobile device, _50 Bistreams of "Hey!"_

------
StavrosK
Can't you achieve the same thing with a cable whose data lines just aren't
connected to the jack? Why do you need a whole circuit?

~~~
morsch
Sure. The advantage of this is you don't have to cut open one of your cables,
you can easily (and visibly) decide whether you want the data pins connected
or not and this works for any USB device, ie. USB micro as well as Apple and
other proprietary connectors.

~~~
icebraining
_you can easily (and visibly) decide whether you want the data pins connected
or not_

You could just get two cables, and only patch one.

 _this works for any USB device_

So would the cable option if you used a male / female cable instead of a male
/ male one.

------
nicky0
This $3 "power only USB charging cable" is another option:
[http://www.ebay.co.uk/itm/POWER-ONLY-USB-Charging-Cable-
Exte...](http://www.ebay.co.uk/itm/POWER-ONLY-USB-Charging-Cable-Extension-
Lead-25cm-/380362788911)

------
auggierose
"If you're going to run around plugging your phone into strange USB ports, at
least be safe about it. ;-)"

Exactly. Better safe than sorry.

------
Too
If you have enough space to lug one of these around you might as well carry
with you a complete wall-charger all the time.

------
willvarfar
Recently, it comes to light that those handling the Snowden files are using
air-gapped computers and passing encrypted data to the outside world via ...
USB sticks.

Can't USB sticks execute arbitrary code? Couldn't an attacker infiltrate the
publically accessible computers that these people use and put a data-stealing
trojan onto USB sticks used to bridge the air-gap?

Do other media that most computers accept these days e.g. sd cards support
arbitrary code execution too? How can you get around this?

EDIT: it was DMA attacks that I was thinking off, and USB seems free of them
at least. I guess, if you trust the robustness of your USB stack against
exploit, that USB is a fairly safe bet. As these very people are reading the
NSA secrets, one wonders what'd happen if they discovered some hint that that
NSA could do precisely that - exploit via USB plugging in.

~~~
bigiain
For some idea of what it's possible to do when you plug something into a USB
port, watch this:

[http://www.youtube.com/watch?v=D8Im0_KUEf8](http://www.youtube.com/watch?v=D8Im0_KUEf8)

(Travis Goodspeed's "Writing a thumb drive from scratch" presentation. It's
got some fascinating and potentially _very_ scarey ideas…)

~~~
revelation
Can very much recommend this talk. Spoiler: you can differentiate an operating
system booting from e.g. a forensic device doing a backup, by looking at the
access patterns.

Also note that the USB spec is rather complex, and some parts of it will be
invariably implemented in software. Often in very high-privileged C code. As
such, it is likely to contain critical errors. Heres one for the PlayStation 3
that emulates some garbage on a USB port to get fully privileged code
execution:

[https://github.com/psgroove/psgroove/blob/master/psgroove.c](https://github.com/psgroove/psgroove/blob/master/psgroove.c)

------
smoyer
It might be a bit smaller, but the concept has been around a long time (I use
my external hard-drive's cable):

[http://www.amazon.com/s?ie=UTF8&page=1&rh=i%3Aaps%2Ck%3Achar...](http://www.amazon.com/s?ie=UTF8&page=1&rh=i%3Aaps%2Ck%3Acharge%20only%20usb%20cable)

------
the_mitsuhiko
Does anyone know how the voltage negotiation works for those?

~~~
Piskvorrr
It doesn't - therefore, a to-spec USB2.0 host should not give more than 100mA
over the condom, but good luck finding such a beast (most hosts will happily
serve 500 mA w/o negotiation).

~~~
hwh
Nitpick: It's current negotiation, not voltage negotiation. As for voltage -
5V is universal with USB. And as for current - I wrote about the matter in
another reply to the OP: The problem will be a well-behaved USB device simply
won't take more than 100mA. I.e. it will use the "flat" charging curve, even
if the host could deliver more.

~~~
SEMW
> As for voltage - 5V is universal with USB

Nitpick for interest's sake: apparently there's a new (2012) 'USB Power
Delivery' spec[1] which specifies two new voltage levels (12V & 20V) in
addition to 5V, with higher current limits (2A at 5V, 3A at 12V or 20V for
microUSB connectors). Obviously both ends (and the cable) have to support it;
I don't know if anything actually does yet.

[1]
[http://www.usb.org/developers/powerdelivery/](http://www.usb.org/developers/powerdelivery/)

------
fosap
Interesting. But I'm looking for the opposite. I often have to access my
phone, kindle, whatever data, but do not want to charge it. But I guess the
usb controller will not accept a data-only connection.

~~~
cbhl
There are a number of devices (say, USB thumb drives) that run off the power
provided by the USB spec, so, no, that wouldn't work for those devices.

------
jablan
At first I thought it was a device which would prevent an infected computer
from writing malware to the inserted flash drive, as a hardware antivirus.

------
NSAID
Oh, this is fantastic. I've been wanting to build something like this into a
few cables, but this is even better.

------
aglosson
I guess I'll just have to wait until they release this in magnum size to
accommodate my monster dongle.

------
switch72
[http://www.amazon.com/Retractable-Micro-Charging-Cables-
FUNC...](http://www.amazon.com/Retractable-Micro-Charging-Cables-
FUNCTION/dp/B004A8OMLQ/ref=sr_1_6?ie=UTF8&qid=1379093288&sr=8-6&keywords=usb+charge+only+cable)

------
lechevalierd3on
The all NSA scandal is a quite sad revelation, but there a re so many business
idea to built off it.

------
650REDHAIR
Great idea and cute name, but why would you market this on Friday when you
won't be taking orders until at least Monday? Seems to me you just lost out on
a bunch of sales by showing it off early because it likely won't make the
front page again on Monday.

------
bitwize
This reminds me of when vendors at tradeshows used to sell "floppy disk
condoms" as novelty items. I think there was also at least one transparent
keyboard cover billed as a "keyboard condom".

------
gametheoretic
>"Any port in a storm." as the saying goes.

Love the humor, usbcondoms crew! Another one I hope you find a place for in
the future: "In the dark, all cats are gray" \-- Benjamin Franklin. Yes,
really.

------
speedyrev
Well to continue the metaphor, I guess I practice abstinence.

~~~
lostlogin
You puritans. Is it still purgatory for me if I try plug USB into the MagSafe?

------
oemera
It could be way more popular if these wouldn't be called 'condoms'. Some
people can get offended and wont buy it even if it would be useful.

Just my 2 cents.

~~~
sdfjkl
USB prophylactics?

~~~
joezydeco
USB Data Isolator.

------
teekert
I would like the reverse, block the power lines, so my raspberry pi does not
use the backpower of my USB hub through its front USB ports:)

------
umsm
This doesn't really protect you from a more subtle attack: setting up a
femtocell access point for your phone to connect to.

------
Jugurtha
Well, like everything else .. Marketers are betting on the laziness of people.

Why tell someone he can lose weight by working out and eating less, when you
can sell them a pill that makes them lose weight while they sleep and get abs
in 7 minutes?

Why learn programming in several years, when you can "learn programming in
three days".

Why tell people to be cautious with their data, not to click on everything,
when you can sell them a "condom" that enables them to remain reckless and
careless and lazy ?

~~~
Piskvorrr
Some attacks do not depend on user interaction ("clicking"); plugging the
device in might be sufficient. Thus, hardware air-gap becomes necessary.

(of course, this just shifts the problem around: now you need to trust the
"usb condom"; but given its simplicity, it should be much harder to put
anything nefarious there)

~~~
Jugurtha
Yeah. I looked at it from a "consumer education" perspective, but it is
unrealistic to ask for that. Not everyone is interested in those things.

However, what does that thing actually do ? How does it work? Signatures ?
Block "autorun" or something ? I didn't see any details.

~~~
Piskvorrr
The USB condom? Much lower-level than that: no data pins, only power.

------
Egregore
There are external batteries for phones, when you charge through them I think
no data will be lost.

~~~
rbanffy
As long as you trust your external battery

------
89vision
I can't believe nobody has made any "pull-out" quips

------
Fuxy
Yay! I don't have to build this anymore.

------
talles
Great idea. Awesome name.

------
nraynaud
is it me or this thing is huge ?

