If You've Just Got To Tap It - Now You Can Wrap It!

Hi ATS!

Before you freak and slam the alert button forty-two times in fury, disgust and rage... I am talking about your portable device USB charger!!! So pause, settle down, take a deep breathe, and let me explain:

Given the nature of our hectic lives these days, and the fact that the vast majority of us are reliant upon portable media devices for a myriad of things - phones, tablets, music players, cameras, etc - the only real opinion we have about charging them is that it frustrates us and these darned devices always seem to go dead at the worst possible time. It's nothing for most of us to take advantage of any source of charge we can find when we are out. We'll use public or work computers, the artist formerly known as automobile cigarette lighter, any handy electic or USB plug we can find.

It's a no brainer and who can it hurt, right?

Well, not too long ago this happened:

A recent post to social news site Reddit detailed how the computer of an executive at a “large corporation” had been infected with malware from an undetermined source. Further investigation apparently revealed that it had stemmed from a $5 e-cigarette bought from the online auction site eBay.

The e-cigarette was found to have malware hard-coded into the charger, which “phoned home” and infected the system when plugged into the computer’s USB port.

Source

This is something I assume has already been covered on ATS somewhere, though I haven't seen it. But that's OK because it's not the primary focus of this thread, simply a real world example of the potential for USB exploiting.

There are still many people who consider their USB or microUSB to be nothing more than a means of charging - forgetting that these same cables are also the vector we use to transfer files from our PC's to our devices and vice-versa. There is a feeling of false safety we get when we know that we can set the device to "charge only". Thus we tend to be very opportunistic and lenient about how and when we charge these devices. No pun intended ( well maybe a little ) but what was that old saying?

Any port in a storm...

There are measures we currently have to limit our exposure, but they can be a hassle. Most devices come with a two stage USB charger - meaning a USB cable with a removable AC adapter. From what I've seen, over years, is that the adapter tends to stay in the wall, and the cable tends to go out with the device. USB ports are everywhere and it's nothing to catch a quick ten or twenty minute charge. Not doing THAT is the most important step in security. Make sure you bring the AC half of the charger with you and use it when possible.

Think of viruses as computer VD. Being promiscuous with USB connections is every bit as risky for your devices as it is for your body. If you play fast and loose with charging, you could infect your mobile. Once that's done, the second you hook it up to your other systems ( read home PC ) it becomes infected and contageous as well. That means all of your other portable devices are likely to fall like dominoes into a state of infection.

I know that at least one person is reading this and scoffing that they've got the latest version of this or that virus protection on all of their devices, or that they have an iProduct or use Linux and don't need to worry. Sorry to burst bubbles here - but nobody is safe from infection, not even Apple or Linux users. In fact a large portion of the new viruses are targeted at portable devices, meaning iPhones and Android - thus Apple and Linux. Portability and the popularity of portable computing has killed the days of Microsoft being almost solely targeted.

All that said, there is emerging tech from the private sector that will soon be available to help. It is called "The USB Condom":

A new USB security device has been developed by New York-based researchers that allows users to practice safe-charging when connecting their devices to public computers.

The USBCondom provides a "protective barrier between your device and 'juice-jacking' hackers", according to the product's Crowd Supply page, preventing accidental data exchange through a USB cable.

Security firms have warned of the danger of connecting devices to unfamiliar computers or the growing number of public charging stations.

"If the smartphone automatically connects when it is in removable media mode, that makes all files in the internal storage accessible to the PC," said IT security firm Kaspersky Lab in a blog post.

"These may include documents, as well as various data backup copies created by applications and many other things."

Source



The company is new but their tech seems sound and it shouldn't be long before widespread availability of this product, or others like it occurs. This company is still in the Kickstarter phase, but even now the product is priced at ten bucks. It won't be terribly long before that price drops and I imagine that most of us will be purchasing two or more of these devices to attach to the ends of our USB cables.

So, ATS, I have given some of you a new reason to be paranoid - but also supplied a methods of alleviating the paranoia all in one post! Not bad, huh!

And to think I didn't even cover the fact that Big Brother is probably looking for every opportunity to get you to plug that USB into devices that he has access to. Big Brother - the one so patient that he can wade through trillions of duck-lipped selfies in the name of freedom... Sigh.

Thanks for reading!

what I don't understand about this issue is why has there been little or no advances in batteries considering how long they have been around.

I would have thought that in this day and age a phone battery should remain charged for 5-6 months. Might there be some big brother type reason why such a technological advance has not taken place??

There is a very simple solution and that would be a "power only" USB cable that supplies the +5vdc and ground rails. In a cable like this, there are no data (TX/RX) lines hooked up and therefor no communications vector.

Cheers - Dave

I will admit sir that I was slightly dissapointed upon finding out this thread was about something completely different than I had anticipated. No matter, as I am never short on opinions, lol. I would think the best bet for anyone using these devices would be to buy a wall charger, something that does not have to be connected to your computer system. Government agencies have computers that do not even allow the transfer of data, and this is partly to avoid something like this happening via a USB storage device or other hard drive, although mostly it is just to prevent employees from stealing classified data. Heck, even when I was in the air force we used computer systems of this nature, but the nature of my job was different from others, so I don't know if all the systems were that way. My point is that the best way to secure a system is to not allow anything to connect to it, nor to have it connected to the internet. Obviously this is not practical for most people, so your best bet would be to first eliminate the use of any device that has a chance of containing malware.

This is pretty much any piece of hardware or software nowadays, so your best bet is to use some anti-malware software. Actually, your best bet is to make the switch to a linux system, and right there you will reduce the amount of malware that can possibly infect your computer by a very significant degree. Most malware is designed for a windows based system. Although this is not practical for most people either, as setting up and configuring your new install might be beyond the capabilities of the average user, so just use software to alert you to stuff, or to block stuff. Not being a windows user I don't know for certain, but I would be willing to bet there is some software that could disable any data transferring under certain conditions, even with a USB, so that absolutely nothing could be written to the system. Obviously it would depend on whether there are exploits being, well, exploited, or if this is simply an automatic transferring of data the normal way, since an explot could potentially overcome certain security measures. So the more I think about it, the most safety a person will get will come from not plugging one of these devices into your system. Or, don't buy them from overseas companies, or any company that uses an overseas company to create any portion of their product. Boycott China I say.

that is a nice idea well done to them.

but if you have an Android phone with the latest 5.0 Lollipop there's a new "charge mode" option when selecting the USB connection type that disables any data possibly wanting to go through and just charges the phone, pretty sweet!.

a reply to: Hefficide

Yes Mary....I too....thought this was about sex.

Take the side off of your home/work computer and unplug the cables for your front USB ports. The danger seems to be from these casual quickies from fly by nighters you don't even know who have the attitude any hole will do with their devices.

Im wondering how well the 'condom' would work for proprietary devices. I know my samsung tablet had a funky cable, I couldnt charge properly with any other cable, and it was a device feature, like the reversed ipad connector. Same design, but you cant use an apple cable. Frustrating when you are in an office and all they have are apples and you think you're set. And almost screw up your port in the process of getting that damn connector in.

But as pointed out, the simplest thing to do, if you don't want to fork out for an adapter, is just hack a standard usb cable. Red and Black are all you need, the data cables being cut, will not affect the power feed.

Or do what I do and carry a handy solar powered usb charger and avail yourself of natural free power. lol. not that I've done that yet. I'm still trapped in the hell of emotional limbo and the concept of needing a phone or anytyhing is far far out of my thought process.

A virus of the technological kind, right now, would just be one more nail in the steve coffin....

a reply to: Hefficide

Great post Heff! It was by far the most interesting thing I've read today. I can't believe that an e-cigarette could have a virus hardwired in it like that!

I bought one of them the other day from a gas station, and yes, I have plugged it into my laptop to charge before!! I wonder if AC adapters or car chargers with USB outs could be programmed with viruses to infect the devices you plug into them, too?

Great post Heff, I encourage anything that opens up the eyes of the masses to things like this.

But honestly, this is nothing compared to some of the other exploits out there...

One of which, if you haven't heard of it, is air-gapping or air-hopping.

The main idea behind the research is to use radio frequencies in order to transmit the secret data from the computer to the mobile phone. Mobile phones usually come equipped with FM radio receivers and it is already known that software can intentionally create radio emissions from a video display unit. Yes, from the computer screen. Still, this is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer. AirHopper demonstrates how textual and binary data can be exfiltrated from physically a isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second). Enough to steal a secret password.

And that is all that it takes is one password to be owned.

Here is some info including the original paper.

Let's say you are some Russian or Chinese diplomat that is being given a tour of a government facility. You are asked to leave your phone in a locker somewhere, or a plastic bin at the front door. Depending on how things are set up, that phone is still capable of capturing information being emitted from other rooms or devices in the same facility. Depending on what type of facility and what type of information is being transmitted, there is potential for a seriously insidious breach.

There are so many more ways that a system can be compromised.

If you're really interested, check out the speech from a guy named Applebaum. You might still be able to find it on Youtube. You'll have to really get your geek on to understand a lot of it, but it's well worth the time to listen to him.

The only thing secure anymore is the inside of your own head, and even that is becoming questionable.

S&F

~Namaste

a reply to: Hefficide

I bought a cheap phone charger USB holding up to 18 hrs of charge and tossed it in my car....wife has one in purse.