How vulnerable are public USB ports to hacking/viruses?
April 27, 2017 10:37 AM Subscribe
Tottenham Hostspur are building a new stadium in London and USB ports will be available in premium seats. How safe are these to use?
I would rate them as safer than public ATMs, but not that safe. So-called "juice jacking" is a definite possibility, although I don't know if any actual compromised charging stations have been discovered in the wild.
For something like a stadium seat with an integrated port, they'd have to remove the port and install a replacement port, which might be difficult to pull off while a game of footy is ongoing. Or might be easy, depending on how the port is designed.
posted by dis_integration at 10:45 AM on April 27, 2017 [5 favorites]
For something like a stadium seat with an integrated port, they'd have to remove the port and install a replacement port, which might be difficult to pull off while a game of footy is ongoing. Or might be easy, depending on how the port is designed.
posted by dis_integration at 10:45 AM on April 27, 2017 [5 favorites]
Incidentally, the iPhone 7's security measures should protect you in an instance like this, so long as you keep your phone locked. Android phones are another story.
posted by dis_integration at 10:48 AM on April 27, 2017
posted by dis_integration at 10:48 AM on April 27, 2017
The thing that makes USB so convenient (and also a commensurate security risk) is that it handles both power and data. If this new venue is like most sports stadiums here in the States, it would probably be trivially easy for sufficiently-motivated hacker to sneak in when the stadium is empty and install a dongle to turn an innocent charging port into a malware or identity-theft vector.
There's also the emergence of the USB Killer: a harmless-looking USB key with a hidden high-voltage capacitor that will instantly fry any device that it's plugged into. A would-be vandal can build one from only a few dollars in parts, with a male or female USB connector depending on where they wanted to conceal one.
Basically, if you wouldn't pick up a USB drive off the ground and plug it into your home computer, you shouldn't plug any device that you care about into random USB ports built into public seating.
posted by Strange Interlude at 10:58 AM on April 27, 2017
There's also the emergence of the USB Killer: a harmless-looking USB key with a hidden high-voltage capacitor that will instantly fry any device that it's plugged into. A would-be vandal can build one from only a few dollars in parts, with a male or female USB connector depending on where they wanted to conceal one.
Basically, if you wouldn't pick up a USB drive off the ground and plug it into your home computer, you shouldn't plug any device that you care about into random USB ports built into public seating.
posted by Strange Interlude at 10:58 AM on April 27, 2017
It also occurs to me that the very fact that this is being offered only on the more expensive seats means that the potential return on investment for a hacker interested in stealing personal financial data is much higher than it would be in other situations. The whole set-up just screams "trap" to me.
posted by Strange Interlude at 11:01 AM on April 27, 2017 [2 favorites]
posted by Strange Interlude at 11:01 AM on April 27, 2017 [2 favorites]
If you're plugging into an unknown usb, you can try using a USB power only cable or USB 'condom' (it has the middle pins disconnected). That won't protect you from the USB killer mentioned above, but it would protect your data from being transferred.
And it doesn't matter if the stadium disables data pins on the ports- someone can just put a device in between and reconnect the data pins. So you have to rely on a cable that you yourself have verified as being power only.
posted by thewumpusisdead at 11:07 AM on April 27, 2017 [7 favorites]
And it doesn't matter if the stadium disables data pins on the ports- someone can just put a device in between and reconnect the data pins. So you have to rely on a cable that you yourself have verified as being power only.
posted by thewumpusisdead at 11:07 AM on April 27, 2017 [7 favorites]
Basically, if you wouldn't pick up a USB drive off the ground and plug it into your home computer, you shouldn't plug any device that you care about into random USB ports built into public seating.
This is great advice.
However, it does require some extra vigilance. If you want to take an extra step to save yourself some energy normally spent on said vigilance, can buy either one of these and throw it in the bottom of your bag, or on the end of whatever cable you usually use to charge your phone. I personally need fewer things to be vigilant over and worry about. If you travel alot, and find yourself charging your phone in sketchy spots a bunch, it might be worth picking one up.
posted by furnace.heart at 11:07 AM on April 27, 2017 [3 favorites]
This is great advice.
However, it does require some extra vigilance. If you want to take an extra step to save yourself some energy normally spent on said vigilance, can buy either one of these and throw it in the bottom of your bag, or on the end of whatever cable you usually use to charge your phone. I personally need fewer things to be vigilant over and worry about. If you travel alot, and find yourself charging your phone in sketchy spots a bunch, it might be worth picking one up.
posted by furnace.heart at 11:07 AM on April 27, 2017 [3 favorites]
"Android phones are another story."
I believe recent Android and iOS devices both require users to agree before allowing their phone to be accessed over USB. But, of course, bugs happen.
"Don't know about security, but reminds me of when everyone was building houses with high-speed internet cables. Then wifi happened."
Um, I would *love* to have house-wide ethernet--it's faster and more reliable than wifi. One of these days I'll get around to it. If nothing else, it'd be useful for hooking up the wifi AP, which is currently depending on powerline networking....
posted by floppyroofing at 11:29 AM on April 27, 2017 [2 favorites]
I believe recent Android and iOS devices both require users to agree before allowing their phone to be accessed over USB. But, of course, bugs happen.
"Don't know about security, but reminds me of when everyone was building houses with high-speed internet cables. Then wifi happened."
Um, I would *love* to have house-wide ethernet--it's faster and more reliable than wifi. One of these days I'll get around to it. If nothing else, it'd be useful for hooking up the wifi AP, which is currently depending on powerline networking....
posted by floppyroofing at 11:29 AM on April 27, 2017 [2 favorites]
This won't protect you from a high-voltage attack, but you can mutilate a USB cable to disconnect the data wires, leaving only power connections behind. You'll want a dedicated cable that's labelled so you don't end up taking it somewhere as your only USB transfer cable.
I don't know what color the wires are likely to be, but in the USB connector that you'd be plugging in to the seat, the wide rectangle, the inner 2 connectors are data; the outer 2 are power. You could remove the data terminals from the plug, or open the cable insulation and do a little wire surgery.
posted by Sunburnt at 11:52 AM on April 27, 2017 [2 favorites]
I don't know what color the wires are likely to be, but in the USB connector that you'd be plugging in to the seat, the wide rectangle, the inner 2 connectors are data; the outer 2 are power. You could remove the data terminals from the plug, or open the cable insulation and do a little wire surgery.
posted by Sunburnt at 11:52 AM on April 27, 2017 [2 favorites]
The main worry would be "skimming", i.e. a malicious person replacing or covering the legitimate charging port with a device that looks identical but does nasty stuff to your phone. You can use a "USB condom" to prevent this, but at that point why not just bring a battery backup pack?
posted by tobascodagama at 12:02 PM on April 27, 2017 [1 favorite]
posted by tobascodagama at 12:02 PM on April 27, 2017 [1 favorite]
You can use a "USB condom" to prevent this, but at that point why not just bring a battery backup pack?
Such "condoms" cost $7-$13 (or you can make your own) and they're small and fairly durable, while battery packs are generally around $30 and are bulky, if not also more fragile.
posted by filthy light thief at 1:49 PM on April 27, 2017
Such "condoms" cost $7-$13 (or you can make your own) and they're small and fairly durable, while battery packs are generally around $30 and are bulky, if not also more fragile.
posted by filthy light thief at 1:49 PM on April 27, 2017
USB cable colours are almost universally:
- Power is red and black
- Data is green and white
If you've a spare USB cable lying around, cut the data wires and you're good.
Then again, you can get USB condoms for US$7 and you probably should.
posted by happyinmotion at 2:17 PM on April 27, 2017 [1 favorite]
- Power is red and black
- Data is green and white
If you've a spare USB cable lying around, cut the data wires and you're good.
Then again, you can get USB condoms for US$7 and you probably should.
posted by happyinmotion at 2:17 PM on April 27, 2017 [1 favorite]
I'd say there are at least two ways to protect your device when using untrusted USB ports:
1. Buy a USB power bank (Amazon has many for $10-$20). Even a compact, small capacity one is fine. Use public USB ports to only charge the battery pack and never your phone directly.
2. Buy a USB data block adapter; make sure to get one like this that can allow fast charging. There are comments above that suggest to just cut USB data wires in a USB cable; while this would work to protect yourself from hacking, it means the USB port will likely default to basic slow charging. So, if you want to use a USB data block, it is better to get a specific device that negotiates fast charging on the USB side while still protecting your phone.
posted by thewildgreen at 8:51 PM on April 27, 2017 [3 favorites]
1. Buy a USB power bank (Amazon has many for $10-$20). Even a compact, small capacity one is fine. Use public USB ports to only charge the battery pack and never your phone directly.
2. Buy a USB data block adapter; make sure to get one like this that can allow fast charging. There are comments above that suggest to just cut USB data wires in a USB cable; while this would work to protect yourself from hacking, it means the USB port will likely default to basic slow charging. So, if you want to use a USB data block, it is better to get a specific device that negotiates fast charging on the USB side while still protecting your phone.
posted by thewildgreen at 8:51 PM on April 27, 2017 [3 favorites]
« Older Can I convince a landlord to allow a subletter's... | Excellent books for parents of an addicted adult... Newer »
This thread is closed to new comments.
posted by randomkeystrike at 10:44 AM on April 27, 2017 [4 favorites]