FBI begs Americans to stop plugging their gadgets into USB ports of unknown provenance

Originally published at: FBI begs Americans to stop plugging their gadgets into USB ports of unknown provenance | Boing Boing

…

You can buy USB cables that only have the power leads connected for use in just that situation.

I don’t know if that disables any of the fast-charging handshake negotiation, but it will get you a charge if you need it.

Fraudsters may even give you infected cables as a promotional gift,

Don’t know about cables, but this happened to me with a promotional USB memory stick I got an an industry event. Wound up having to wipe the entire computer and reinstall everything. PITA

This from Amazon will solve the problem. Please note they’re already on version three
https://www.amazon.com/PortaPow-3rd-Gen-Data-Blocker/dp/B06XGM6LJB

I use these

image600×600 40.1 KB

They also make one that is clear, just in case you are extra paranoid (It doesn’t mean that they aren’t out to get me).

They do. All these USB condoms charge at the minimum rate of 500mA because without the data lines connected, the client and host USB chips can’t negotiate the charging rate. Fortunately USB supports a minimum power level that is always on so at least this protection is possible.

As Rob says though, this is all very likely a moral panic more than anything. Nobody is going around sneaking secret data honey traps into restaurants and airports.

Bad actors who want your data just go online and buy it. It’s not hard to get. Scraping data physically from local devices one by one is a ridiculous way to go about it and there’s no evidence to suggest anyone is doing this, just because they theoretically could. All the same personal data exists on the servers your apps all talk to, and it’s a whole lot easier to go get it from them in bulk.

Furthermore, if you use an iPhone, there’s several layers of encryption and OS-level app protections between the USB port and your data. A USB device can’t access the data on your banking app, for example, or even your contacts. It’s all encrypted, sandboxed, and locked behind permissions you must manually enable via prompts.

Sounds like language from a typical security brief. If you listened to security briefs in some places I’ve visited you’d never want to step outside. They tend to be a catch-all for everything horrible that has taken place in the past year or more even if just once.

I read as less a moral panic but more of public service announcement in this case. It happens. Be aware that it happens.

Does it though? I’ve never seen evidence of it.

I agree it can happen. I’ve built my share of USB devices and am familiar with the security weaknesses therein. However, until shown evidence otherwise, I’m with Rob. Someone can put razor blades in Halloween candy, but it’s never actually happened and is not someone anyone should spend mental energy being afraid of.

There is a cost to society of people being paranoid. Caution is not free. When people are walking around paranoid and afraid, they self-align with security theatre and authoritarian power structures. All sources of fear should be evidence-based, in my opinion, to combat that effect.

Some far worse things can happen at airports.

Yeah, security briefings tend to be more CYA than about useful security tips. “We warned you that murder hornets were an invasive species that were cited two years ago. Now you can’t sue us because we told you about it.”

Stop plugging their gadgets in ports of unknown provenance.

(When will we see prophylactic apps for those gadjets? )

Juice jacking, as it’s known

Is it known?

Carny Knowledge

I mostly use public ports to keep my power bank topped off, but not for charging my phone. Using it as a sort of go-between is my version of wearing a USB condom, I guess.

Some warn that power banks themselves can come loaded with malware, that’s a different issue entirely.

Looks like I’m not the only one who saw a terrible euphemism…

This topic was automatically closed after 5 days. New replies are no longer allowed.