Hacker News new | past | comments | ask | show | jobs | submit login

Really need a setting “never trust any device ever”. I’ve never once had a use case with my phone to do anything but charge. Really hate when I plug in my phone to charge in a car and the car takes over my UI. All bad ideas. If I want to move photos I use the network.



Personal opinion: Charging only is what a cigarette adapter is for.

Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.


Do female->male USB-USB power-only passthrough adapters exist? If I could buy a few from a trusted source like directly from the Apple store, I could use it to firewall my cables (never thought I'd have to do that).

As an added bonus, my iphone wouldn't automatically crank up itunes on my mac every single friggin time I plug it into the dock.



You're stuck with 5V at half Amp. Fast charging allows up to several Amps, but needs data pins to negotiate.


Higher power versions of this concept exist that do the data negotiation for your device in response to negotiation from your device. "Plugable USB Universal Fast 1A" is one example, though in my experience, really using it is hit or miss.

I've had better luck using a USB battery to "filter" USB connections in random rental cars.


I have a dollar store "iPad fast charging plug" which is basically a USB condom with a dumb resistor divider to tell Apple devices that they're safe to pull 2.4A.


I have a device that mimics data pins while cutting them off internally. My phone charges quickly, but data lines are not connected. It's a Triplett Usb Bug, a mainstream brand product.


Amazing!


Yes, they simply(?) block the data pins and often go by the name "USB Condom".


If you have an old-fashioned USB 2.1 plug, you can actually remove / cover the data pins, leaving only the power pins exposed!


You need to add some resistors to the data pins to be recognized as a charger.


Depends on the phone. Some need resistors, for some it's enough to just short both data pins, some do protocol level talking over data pins. There are several standards for that with legacy usb.


> Personal opinion: Charging only is what a cigarette adapter is for.

But hardly any new cars have that ….

> Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.

It seemed that paulsutter (https://news.ycombinator.com/item?id=20686844) was suggesting a setting that prevents this automatically for people who never want it, not removing the capability for people like you who do want it.


> But hardly any new cars have that ….

I'm in a 2019 Subaru Outback, and I have two. One for the front seat, one for the back.

WRT a setting - CarPlay must be explicitly enabled, and has a per-vehicle pairing. I imagine Android has a similar requirement.


Android Auto bugs you every time you plug the phone into the car. I had a rental that had it and I was curious to try it since it seemed like something I may want in my next car. It was slow as fuck over bluetooth (a little faster over USB) and offered pretty much nothing more than what a magnetic mount and a bluetooth audio/phone connection would offer. It was 1000x quicker to just bring Waze up on my phone as I'm walking to the car, slap it on the magnet (up high on the dash, adjacent to the screen), and let the bluetooth connect automatically. I deleted the android auto profile and just stuck with regular bluetooth audio/phone.


"But hardly any new cars have that"

Even a Tesla Model 3 still has a 12 Volt cigarette adapter port. New cars still include them because of all the accessories out there like inverters and tire inflaters people want to use.


And my Model S.


It seems extremely rare for me to find any car in the US market that does not have at least 1 12V outlet. On a very recent model car I own it has 4 plus a 110V outlet!


Yeah, they don't seem to include the cigarette lighters themselves anymore (the plug with the nichrome coil or whatever it is that heats up when pushed in), but the outlets are still there on my most recent car, and every rental car I've driven recently.


I think I meant to say what you said—that there's no actual cigarette lighter any more—and just confused that with the adapter outlet itself being gone. Thank you for clarifying!


This device shows up as a keyboard - should keyboards never be trusted ever? How would that work?


First thought was whitelisting USB vendor and device IDs, but I guess those could be spoofed. A button above every USB port?

Going back to PS/2 could be an option? Guess that wouldn't be too different from allowing all devices only on a single USB port.


What if the USB device upon gaining power opened up and poked your button? : P


Shannon's Ultimate Machine....

https://invidio.us/watch?v=cZ34RDn34Ws


It would be nice of my OS had an option to disallow any and all USB devices. Plug something in? Ask whether I want to allow it. I guess this would get annoying after a bit. But still, I only use a couple of USB devices on a daily basis, but I click on boatloads of cookie warnings every day.


> It would be nice of my OS had an option to disallow any and all USB devices

Any desktop computer would have to be redesigned to add a "allow new device" button since they have no other input.

Even on many laptops, the internal keyboard and mouse are USB devices, when you install a new OS, do you have to accept trust to those as well? Or how will you stop an external device from spoofing them with the same vendor/device ID?


How about, trusted peripherals should speak DTLS over their USB/Thunderbolt PHY, and the OS should keep a certificate store for recognizing them?

This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices... but how about if vendors just create a little USB dongle that wraps whatever's plugged into it in "authentication" using DTLS? Ship the dongle with the laptop; tell people that if they want to install a new OS, they have to plug a USB keyboard in through the dongle.


> This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices...

Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.

A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).

Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.


Aren’t we trying to prevent an attacker with physical access? They could simply unplug everything first.


maybe not the exact correct solution (some of those MCUs are wayyyyy too tiny, slow, and stupid for something as complicated as DTLS), but this is not a horrid thought. The bootstrapping problem can be resolved via Microsoft's secureboot certificate and letting the firmware sort out the initial "trusted boot USB sticks" or however.

hell, simply through acquisition and acquiescence, the market already accepted locked-down platforms. at this point, we ought to have more benefits from this instead of just making these platforms hard to install Linux on.


I use USBGuard on Linux to this effect.


It looked quite promising when I took a look two years ago. There was no support for properly filtering devices that contain multiple endpoints though, like a mouse with mass storage. You could either allow both our none. It was on their roadmap but kept getting postponed iirc. Should take a look again I guess. :-)


At least the user should be informed, meaning it should show the bare minimum to allow us to act upon. Something like "USB keyboard connected: [Device specified name]" for common device types. More complicated/dangerous stuff should only run after user acknowledgement. This way there is at least a significant risk to get caught / chance for the user to catch it.

Not sure if I just mis-configured my windows, but it is certainly lacking on that front. The Settings -> Devices -> USB having just a single checkbox for error popups is probably not a good sign.


On a Mac, wouldn't this cause a "please identify this keyboard by pressing the key next to the shift key" prompt?


Regarding keyboards, maybe at least don't automatically trust a SECOND keyboard? Even when user interaction isn't possible until the device is active, as someone else pointed out, you can at least send a warning to the user's display.


My quick thought was to have the OS display a random char sequence, which must be typed on the keyboard before input is accepted.

Usability could be optimized depending on how uniquely identifiable keyboards are (to reduce when trust prompts are shown).


I have never once wanted to attach a keyboard to my phone


This cable targets the host computer it's plugged in to, not the phone.


The device shows up as a keyboard on your computer, not on your iphone


Really hate when I plug in my phone to charge in a car and the car takes over my UI.

For every phone owner who thinks this way, there are probably a dozen others who hate it when they plug in their phone and the car doesn't mirror the phone's UI. I'd be in the latter group.


Would be nice if they narrowed the attack surface -

"A new (unneeded if devices sufficiently uniquely identifiable?) keyboard has been plugged in, please type <random char sequence> to confirm"


You're on a desktop computer, and you've just spilled water on the keyboard. How do you replace it?


You plug in a USB keyboard. On the display it says "New USB keyboard detected! Type XYSJRF on the new keyboard to enable it". You type XYSJRF on the external keyboard and then use it like normal.


Moving large amounts of data over the network can be cumbersome. MicroSD cards can come in pretty handy.


Car takes over the phone's UI? Is that an Android thing? I've only ever heard of carplay/android auto taking over the Car's UI (and replacing it with a much better UI).


If we're speaking of an iPhone, if you plug one into a CarPlay receiver then it lightly interrupts the phone use. The iPhone gets a big CarPlay splash screen (which you can dismiss), and switching apps on the car display will also switch them on the phone.

This is changing in the upcoming iOS 13, so the car display and the phone will be much more independent[1]. As someone who's often a passenger with their phone plugged in, I'm happy for this.

[1]: https://www.macstories.net/stories/carplay-in-ios-13-a-big-l...


It sounds like you need a "USB Condom"; It's essentially a minimum-length extension cable, with only the power lines enabled, not any of the data.


I use a data blocker on anything I think might be suspect.

But, then, I am shifting trust to my data blocker...




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: