USB charging dangers and USB Condom

Modern smartphones consume so much energy that charging them once a day is not always enough. When they are used intensively, the user sometimes has to look for a power source in the middle of the day, and charge their device whenever and wherever possible. At first glance, it seems absurd to worry about safety in these circumstances. You plug the smartphone into a socket and it starts charging – the same as with a flashlight or a toothbrush, right? But, in fact, there are some hidden dangers which you need to be aware of. Public charging stations help smartphone users, but also open a new avenue for hacking.

When charging a smartphone from a PC, or connecting it to a USB port in a car or plane, we rarely consider the possibility that information may be exchanged, as well as power. Beware of Juice-Jacking is asking do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

Settings vary on different smartphones – they often automatically connect using PTP or MTP modes, and the connected PC can upload all the relevant files from the smartphone. This is especially annoying if you store confidential photos on your smartphone. This behavior is more frequent than it might seem – the automatic upload of photos is a standard setting of many photo album managers, Dropbox and similar applications. If the smartphone automatically connects when it is in removable media mode (UMS, Mass storage), that makes all files in the internal storage accessible to the PC. It is also possible to get virus this way, but this this threat is not that considerable, but users should still bear it in mind.

The easiest, and usually quite effective, way to avoid these problems is to switch off the smartphone completely before charging it and keeping it switched off until the procedure is completed. Usually this is not the most user friendly when you want to be on-line all the time.

Last week there were headlines like USB “Condom” Allows You To Practice Safe Charging and Wrap That Rascal With A USB Condom. Yep, a USB condom. That term is mostly a dose of marketing brilliance, which is to say that grabs your attention while also serving as an apt description of the product.

A little company called int3.cc has developed a product—a USB condom—that blocks the data pins in your USB device while leaving the power pins free. Thus, any time you need to plug a device such as a smartphones into a USB port to charge it—let’s say at a public charging kiosk or a coworker’s computer–you don’t have to worry about compromising any data or contracting some nasty malware. It’s one of those simple solutions that seems so obvious once someone came up with it. They sell the product at http://usbcondoms.com/.

The first version of USB Condom achieve this by cutting off the data pins in the USB cable and allowing only the power pins to connect through.Thus, these “USB Condoms” prevent attacks like “juice jacking”. Juice Jacking is when a USB charger is modified so that it reads, modifies or deletes information on a user’s cell phone. This can include stealing passwords or adding spyware onto the device.

According to their web page Version2 of the USBCondoms will debut soon (the version mentioned on those news): For a few bucks more, it includes a microprocessor on the “untrusted” side to ensure full line power.

All smartphones charged from a USB have a supply voltage of 5 volts, while the charger voltage may vary from 500 to 1500 mA. If you just wire the power wires, you will not get the full power because the smartphone and charger can’t agree that they can use more than the normal default maximum current (that being 100 mA or 500 mA depending on the case).

That first version of USB condom sounds pretty simple, so how about a DIY version. Charge Only MicroUSB Cable article tells that if you are armed with a soldering iron and heat shrink tubing, building a charge only USB cable an easy hack: If you cut open the USB cable and clip the signal wires, then you effectively create a charging cable.

A USB cable has four wires; two for power, two for signal. Important: The signal wires on the host or USB A end of the connection must remain open or you risk shorting out your USB port or damaging your computer. This simple design has some downsides: it not being able to charge and operate all phones. Some phones need the data pins to be at correct state (especially devices made by Apple).

Many phones allow you charge with only power and ground connected. Some phones (looking at you, Apple) use the data lines to determine whether or not the charger is “permitted” to charge your phone. Other phones still (some Android phones in particular) explicitly ask you to decide what to do with the USB connection — e.g. charge only, or mount as usb drive, or application-specific data connection. I think an easy way to mitigate this threat is to have a filter that blocks USB pins 2 & 3 and only connects 1 & 4 (power pins). At least worth to try. Many phones allow you charge with only power and ground connected. Some USB cables (often the cheap ones you get with a cheap charger) will only run power and ground leaving the data lines unconnected. If you want to buy such cable (instead of making your own), Google “USB power only cable”.

How to make a “USB fast charge cable” for your phone posting gives some tips how fast charging detecting works on phones. USB devices like your phone will draw only 500ma from devices that they recognize as USB hosts, such as your computer. Dedicated USB chargers will supply more than 500ma — usually 1 amp but sometimes more. How does your phone know the difference between a dedicated charger and your computer? The way you fool the phone into thinking it is on “AC power” rather than “USB power” is to short the two data pins that go to smart phone connector together. When the phone probes the data pins, it will see that the pins are connected together, decide that it is on “AC power”, and will draw more current. You should take care, however, to short the pins in such a way that the phone sees the short, but whatever you plug the cable into (our computer) doesn’t see the pins at all. Shorting the data pins on your computer may damage it. You’ve been warned! And also the computer might not like if the cell phone tries to take more than 500 mA current from it’s USB port.

11 Comments

  1. Tomi Engdahl says:

    Don’t Just Go Sticking That Anywhere: Protect the Precious With a USB Wrapper
    http://hackaday.com/2014/03/21/dont-just-go-sticking-that-anywhere-protect-the-precious-with-a-usb-wrapper/

    This project was inspired by the USB Condom

    [Scasagrande]‘s USB Wrapper gives you options. You can set it to Dedicated Charging Port, Sony, Open Circuit, or Apple.

    Reply
  2. Tomi Engdahl says:

    USB Wrapper
    http://dangerousprototypes.com/forum/viewtopic.php?f=56&t=6240

    In legitimate USB chargers, the data lines are used to communicate to your device how much power they are capable of sourcing. The exact means by which they do vary between manufacturers. The standard calls for the D+ and D- lines to be shorted together, while companies like Apple will apply specific voltages on both lines depending on the charger. By entirely disconnecting these data lines, your device does not know any information about the charger, and will thus assume it is a standard USB2.0 port. This limits means the device will self-limit the charging rate to 2.5W, even if the charger can in fact handle more.

    Reply
  3. Tomi Engdahl says:

    Car cassette head unit becomes dock for Galaxy S4
    http://www.ivancreations.com/2014/06/car-cassette-head-unit-becomes-dock-for-galaxy-s4.html

    How to have USB host mode + charging the phone?
    When you want to connect a Keyboard, Mouse or DAC to your phone the phone must enter the so called USB Host mode. One particular caveat is that according to the USB Battery Carging Specification (ver 1.2) when the device is host it shall supply power while in your case you want the complete opposite – you want the device to be host and drain power (to charge the battery).

    The key things is to check if your phone manufacturer offers a dock for your phone which allows connecting external devices. If that is the case then you can simulate this dock and have USB Host mode + charging.

    Reply
  4. Tomi Engdahl says:

    This looks interesting product, in-line USB current+voltage meter with two ports: normal USB with data and charge only port:

    0.28″ LED 3-Digit Red Display USB Power Charger Data Transmit Current Voltage Tester (3~10V/0~3A)
    http://www.dx.com/p/0-28-led-3-digit-red-display-usb-power-charger-data-transmit-current-voltage-tester-3-10v-0-3a-300557?r=8527370

    Reply
  5. ver cine gratis says:

    I’ve learn a few good stuff here. Definitely worth bookmarking for revisiting.
    I surprise how a lot attempt you set to create such a excellent informative website.

    Reply
  6. Tomi Engdahl says:

    This USB condom seems to be quite simple, just few resistors and two USB connectors needed….

    USBCondom
    https://www.crowdsupply.com/xipiter/usbcondom

    A protective barrier between your device and “juice-jacking” hackers.

    USB Condom is a product from information security R&D consultancy and product development company Xipiter.

    Reply
  7. Tomi Engdahl says:

    Here is one USB charge meter with built-in USB condom like functionality:
    http://www.epanorama.net/newepa/2014/08/15/usb-charger-meter-with-protection/

    Reply
  8. Tomi Engdahl says:

    Mobile USB charging is dangerous

    Security company Kaspersky Lab points out that downloading a smartphone via USB includes a variety of risks.

    Security Company notes that the USB interface is designed for charging, but also for data transfer. Because of this, every time the device is connected to the USB port, it will try to handshake and establish a connection. Even at this data transfer takes place, of course.

    While the phone is in charging mode – when data transmission is blocked – data is still transferred between your phone and the host device. The amount of this data depends on your platform and operating system.

    At least the master device goes information about a device, the manufacturer’s name and serial number of the device.

    The problem is that this information can be AT commands used to capture the SIM card telephone number and contact information. Since then, the attacker can call any phone number at the expense of the SIM card owner.

    The important thing to remember is that you never know what the unknown USB port can do to your phone.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=4517:kannykan-usb-lataaminen-on-vaarallista&catid=13&Itemid=101

    More:

    Previous
    Charging your smartphone’s battery over USB can be dangerous
    https://blog.kaspersky.com/usb-battery-charging-unsecurity/12206/

    Chances are that each of us has found ourselves in a situation where our phone is dying and we have no charger on hand, but at the same time we desperately need to stay connected — to answer an important call, receive a text message or email, whatever.

    It is perfectly normal to look for any source of precious electricity on such occasion — any USB port would do. But is it safe? No. In fact, it can be dangerous: Over a USB connection someone can steal your files, infect your smartphone with something nasty — or even brick it.

    https://blog.kaspersky.com/usb-battery-charging-unsecurity/12206/

    Reply
  9. LoreanTMyott says:

    We stumbled over here coming from a different website
    and thought I might at the same time check things out.

    I like a few things i see so now i am following you.
    Look ahead to considering your web page for any second time.

    Reply
  10. Tomi Engdahl says:

    Charge Safely
    Protect your mobile phone from accidental
    syncing and malware!
    http://syncstop.com/

    Reply
  11. Tomi Engdahl says:

    Please stop charging your phone in public ports
    http://money.cnn.com/2017/02/15/technology/public-ports-charging-bad-stop/

    I know the feeling: Your battery is low, but you have to keep tweeting. You see a USB port or an outlet in public, plug in your device and feel the sweet relief of your phone charging.

    That comfort could be shattered by an invisible attacker collecting information while your phone is plugged in to a hacked outlet.

    “Just by plugging your phone into a [compromised] power strip or charger, your device is now infected, and that compromises all your data,” Drew Paik of security firm Authentic8 explained. Authentic8 makes Silo, a secure browser that anonymizes web activity.

    Public charging stations and wi-fi access points are found in places like airports, planes, conference centers and parks, so people can always have access to their phones and data. But connecting your phone to an unknown port has its risks.

    The cord you use to charge your phone is also used to send data from your phone to other devices.

    If a port is compromised, there’s no limit to what information a hacker could take, Paik explained.

    And yet despite the risks, people do it all the time. Even at prominent security conferences.

    The company ran an informal social experiment to see how many people would use the public charging stations. Paik said an overwhelming number of attendees — about 80% — connected their phones without asking about the security.

    “The majority are plugging in no problem. They are at a security conference and they should know better, but they probably feel safe,” he said. “The others are making fun of them. They just walk by and say, ‘Do people really do that?’”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*