Charging from untrusted sources

!
Warning: This post is over 365 days old. The information may be out of date.

Have you ever thought about the USB ports that are available in public places? I’m talking about USB ports on the side of airport chairs, or the ones built into the table at restaurants and coffee shops.

Well, turns out plugging your devices into untrusted USB ports isn’t such a great idea. Dubbed “juice jacking” by the media, you never know if the plug is just a regular old power supply plug with only power supplying capabilities, or a sinister device with circuitry to connect to your device and siphon data off of it. Because of this, people started to buy things like USB condoms that have the data pins cut so that no data exfiltration can take place.

I thought that was quite a nice idea and was about to purchase one of these for when I’m out and about (that is, if the coronavirus restrictions lift again), then realized that these don’t make much sense. Here are the two major reasons why I think they aren’t worth looking into:

1. The ports can still be malicious, even without data pins

One way the ports can still damage your devices is by injecting a ton of voltage through the power pins of the USB port. It’s similar to a USB killer in how it works.

Your phone is only rated for a certain amount of voltage, such as 5V (most common) or 9V (fast charging), etc. Therefore, a good way to kill your device or at least fry the charging circuitry of it is to inject more voltage than it is capable of receiving. And because the voltage can be injected through the power pins, these USB condoms will have no effect whatsoever, since they only disconnect data pins.

And sure, I think having malicious ports at your local coffee shop is a bit far-fetched, but we’re talking about charging from any untrusted source, which includes actively hostile environments where adversaries have installed malicious chargers like the one described above. In this case, the USB condom won’t save you.

2. Fast charging is disabled

Fast charging on modern devices work by exchanging signals through the data pins. If I remember correctly, Apple devices use resistors across the data pins to signal the maximum amount of current the devices can draw, while Android handsets use twenty different protocols (Qualcomm Quick Charge, for example) just to figure out how to quick charge, something I won’t get into here because this blog post will become horrendously long.

But because the USB condom breaks the data pins, fast charging cannot be negotiated through these lines and therefore your devices will charge more slowly.

What’s the solution?

Use your own USB charger, or use a small powerbank as a regulator.

AC plugs obviously can’t exfiltrate data, and any voltage tampering will result in the death of your USB charger, not your phone, if your USB charger is made by a reputable company with all the safety features like fuses. And it’s obviously far more cheaper to replace a broken USB charger than your phone.

If you do not want to purchase a USB charger, or if you are in a environment where the only option is to use a USB port, then I would use a powerbank as an intermediary. Charge your powerbank from the untrusted USB port, and then charge your phone using the powerbank. Since the powerbank only works as a regulator between the device and the power source, you don’t even need to get a bulky powerbank with high capacity.

comments