Hacker News new | past | comments | ask | show | jobs | submit login

It really surprised me when this article blew up on Twitter as I thought it was common knowledge to never use public chargers and avoid untrusted usb anything after “bad usb”. It showed me how I live in a tech security bubble-a good reminder.



Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.

(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)


I've had booths on cyber security trade fairs hand out USB flash drives as prizes for spinning a wheel, with no awareness how that might seem odd. I guess people would be reluctant to accept them at BlackHat, but everywhere else people are very trusting towards USB stuff.


I take free USB drives any day. I always test them on the pc that belongs to the coworker that nobody likes first though ;)

In all seriousness though - 128gb usb 3.0 drives can be picked up for $10 on sale all day long. Absolutely no reason to trust some $0.25 random 4gb that a stranger gave you aside from running R-studio on it for fun or something.


I once worked at a place where the security team had a USB stick delivered to all the desktops with some digital brochure about not trusting strangers or some such. Not the cyber security team, but still.


We send staged phishing emails internally to see who takes the bait.

Leaving USB sticks lying around with some sort of callback to see who plugs them in is a really clever idea. We could probably catch the serial number range in Defender ATP.


  [autorun]
  
  open=you_didnt_read_the_brochure_right.exe
  icon=setup.exe,0
  label=My install CD


> Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.

This is the solution to that problem:

https://www.amazon.com/PortaPow-3rd-Data-Blocker-Pack/dp/B00...

https://www.amazon.com/PortaPow-NA-USB-C-Data-Blocker/dp/B08...

https://www.amazon.com/PortaPow-Data-Blocker-USB-C-Converter...


If you're already committed to carrying Yet Another Accessory, then why not just carry a small portable charging battery. Some models are not much larger than that USB connector, and could charge the phone more than sitting babysitting a charging phone for an hour.


Yeah, I normally carry bigger portable batteries but I've got a bunch of small ones that I've typically been given by vendors which are probably good for at least getting a phone off life support.


Yes, I was in the hospital waiting room recently and they had a charging station with each type of available cable.

I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".

The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.


> but what can you really do?

Get a USB condom, for instance, practice safer charging. :)


Android asks me if I want to have a device to allow access, This probably prevents attacks against the upper layer protocols. Is the risk vector here the USB stack itself?

I think its possible to disable the USB 'protocol' in Linux, but it would require advanced permissions on android, which probably doesn't work out of the box, with IOS who knows or cares.


> Is the risk vector here the USB stack itself?

Yes, exactly. There are some comments here in the thread that discuss this in detail.


This is a joke, but it could actually be a thing. An isolator that you can use to protect your device while using those unknown ports. I would call it an isolator though, or firewall, not what you called it.



Cool, didn't know they exist.


Also now USB-C condom is also available, It was an issue since USB-C used data lines to negotiate voltage and I was tracking its need on my problem validation for a while now[1].

[1] https://needgap.com/problems/73-usb-type-c-condom-usb-cybers...


> Also now USB-C condom is also available

Oh, I didn't know that! So what is the solution for USB-C? How do the new USB condoms work?


I'm not completely sure, I read on reddit that USB-C condom has some form of proxy circuit to negotiate voltage; I hope someone with better knowledge in this can explain it better.


You can even make a type of them yourself with rudimentary equipment, by cutting the data lines and connecting/not cutting the power lines. I believe you will lose the ability to negotiate faster charging, and I don't know if USB-C will work at all, but it still works otherwise.


They make those. They are called data blocker cables and only have power pins, no data.


...which are really annoying when you do need to transfer data to your phone, but all you have in your bag are data-blockers ;)


Not a joke. The thing exists


Get a tiny GaN USB-C charger, throw it in your bag, and forget about the public "charging ports"?

I bought like 5 of these, threw them in my bags and luggage, and I don't worry about charging like ever. And my devices charge fast.

If I'm doing long flights, I generally bring a single power brick.


>(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)

I wonder whether you‘d take similar precautions on a site named Hacker News


So far, web standards don’t support online supply of direct (constant) current, alternating (sine wave) current, they can only provide imaginary (square root of stealing your) current.

So you can’t trust any site for power.

—-

Although teleporting power Via quantum entanglement has been demonstrated as possible given a line of communication.

So crazily, “power over data” may happen one day.

Perhaps, we can all look forward to hackers draining our last 1% of battery power as a reward for not using end-to-end power encryption.


then you won’t mind if I mine some crypto on your machine?


A website would be hard pressed to emulate a keyboard plugged into my computer.


You say that now.

Wait till someone reprograms that arduino plugged into your USB via webUSB to be a HID device to do their bidding !


very true. nevertheless, I’m curious if you implicitly trust the security of links on HN?

I know I largely do, but perhaps that’s unwise, especially given the site’s stated target audience


Serious browser exploits are extremely rare these days. Like, the worst you get is cryptocurrency mining while you're on the page.


I still get the occasional popup that gets past AdGuard on my phone and tries to add spam to my calendar on my iPhone but it’s definitely a lot better than it used to be. I got one a few months ago that had instructions on installing a custom management profile, now that cracked me up.


Accessing a known non-sketchy website? No.


hacker news is a link aggregator


If you've spent any time on here you know that no one actually clicks the links to read the article. Users need only trust the pages with an orange header.


I know I don’t but surely some people do

perhaps hacker news is merely a conversation prompt aggregator


I mean the upstream comment is basically saying don't trust clicking any links on the Internet--even on a site that presumably weeds out really dodgy stuff quickly. Indeed, not using the Internet is a solid, if rather extreme, security process to follow.


I wrote it, and that’s not what it’s saying


HN as a separate entity has practically no value, it could just be reddit.com/r/hackernews and it'd be practically the same.


reddit doesn’t have dang


The thing about Reddit is that it has greater "discoverability" through search, profiles and algorithmic "hot" pages, so communities like that inevitably become swamped with low quality posts. There's a few niche subs that just degenerated into posting photos of purchases that arrived in the mail today instead of actually discussing the use of the tools.


I don't trust orange headers, only blue ones.


grin


Which is exactly why they’re a great target. High traffic, good odds someone plugs the phone in and unlocks it while plugged in, etc.


To be fair I also didn't know for a long time that HDMI is not a trustworthy port and can be used to spread malware [0]. And I'm usually not thinking about that when plugging my laptop to a projector.

Maybe with USB you could get away by using a cable without data pins, but I'm not sure whether that may influence charging speed given USB-C is pretty flexible.

[0] https://news.ycombinator.com/item?id=31828193


USB defaults to 5v if there is no negotiation, and it is said that many devices will draw 1a under these circumstances (even though technically the spec says they should expect less) -- it's the standard low speed charging that you'd get plugging your device into a dollar store charger.


> common knowledge to never use public chargers

Perhaps here on HN. Most people will plug their smartphone into any accepting receptacle. trains, airplanes, NYC SmartLink, or ask the bartender if they can plug it in behind the bar.

I still carry a DIY Altoids charger that takes a 9V battery (pulled down to proper volts for iPhone). In a battery emergency, my phone is simply on life support and I don't have to look for outlets that might also include a zero-day.


I try to always travel with a “USB data condom”. The one I have is called a “PortaPow”, and it’s red. It was about $10 on Amazon and it’s a great investment for scenarios where I _reasonably_ trust a power-only USB port not to have been tampered with, like the built in ports on aircraft.


I have long used usb condoms - even on my own, trusted ports.

Sometimes I just want to charge my phone from my laptop without triggering all kinds of finder and iTunes and photos interactions.

Same with a car - just power, please.


Build condoms into the devices themselves via a next USB spec requiring a hardware switch to choose power-only / power+data and these kind of issues could disappear. Apple might hate it though. Then again, capacitive hardware switches could be ok.


> _reasonably_ trust a power-only USB ... like the built in ports on aircraft.

I'm with you, this might fall under "safe". Then again, from threads posted here and elsewhere, and through personal investigation...the infotainment systems on airplanes are an absolute disaster with regards to security and software design. They're often part of the same system as the provided USB ports. While the risk is small, there's nothing stopping 1 person from running a script that exploits some flaw in the outdated Linux distro the airline is using to manage their in-flight entertainment.

There's also a chance I'm paranoid and spend too much time here, but I'm gonna stick with my Altoids.


I have thought a power bank would be a good enough condom - for my threat vectors, that is.


Can you be reasonably certain they work?


The one I have is designed to allow you to visually inspect the connector terminals. So at least regarding my (USB-A) ones, I can confirm only the power lanes exist.


I probably would have guessed that software vulnerabilities were rare for just plugging your smartphone into a USB port (without some additional user approval on the device). Obviously a port could probably be easily configured to just fry your jack/device but that’s not a big part of my threat model anyway.


You would have guessed wrong. Most devices, especially multi-vendor android devices, have exploitable subsystems which never touch the UI visible OS layer.


Everyone wants everyone to be more informed about their subject matter area, but there just isn’t enough cognitive load for it all.

I’d like to just rely on my device to protect me by asking if I want to trust the device.


I lately had trouble convincing some non-tech acquaintances that IoT "cloud-enabled" cameras all over their house (including bedroom) as anti-break-in measure are a bad idea as those devices or the storage in some chinese cloud could be hacked. They ridiculed this as "far fetched".

I'll never be able to bring up this risk with USB to those guys.

Edit: IoC typo -> IoT


I know IoC as “Indicators of Compromise.” While that’s kinda true here, that’s not how you used it. What is IoC short for in your parlance?


Probably meant "IoT cameras".

Though apparently the "Internet of Cows" is something.


IoT. Sorry.


Why do you feel the need to mention "chinese"? Any cloud storage is liable to be hacked.


Because they're the dodgiest, lowest cost, cheapest option. And they like to spy/ddos.


Getting a phone with a large enough battery (>5000mAh) is good opsec. I have a 10000 mAh battery in my phone, and I only need to charge about twice a week.


What kind of phone do you have?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: