Awesome Conferences

USB cables should be "charge-only" by default

Every sysadmin knows that you can protect a server though cryptographic or other means, but if someone has physical access "all bets are off". Right? With physical access they can do physical damage (smash it with a hammer) or pull out a hard disk and read the bits directly. Even security systems that are highly respected (I'm looking at you, Kerberos!) are an "all bets are off"-situation if someone gets the private key through physical access.

Sadly we forget this when it comes to smartphones. We'll plug our phones into any darn USB charger we find... especially when we are desperate! Those Pokemon's ain't gonna catch themselves!

Have we forgotten that our phone is a computer and the USB port gives better access than sitting at a server's console?

This article by Alexey Komarov was a very painful reminder of just how much access a USB port gives to an attacker. USB is a vector for malware and spying. Not just that, but USB is how we upgrade firmware on most phones. The commands to upload and activate new firmware are almost entirely unprotected. Giving USB access is providing unrestricted ability to install new software and firmware. That's crazy!

I was recently reminded of this when I plugged into a USB charging port on an airplane. My iPhone popped up a window asking if I wanted to trust the device. Wait... what?? Why is that power charging port not "charge-only"? Why is it trying to make a data connection to my phone? Oh, it turns out that I could play my iPhone's music though the airplane's audio system. (This, of course, is a stupid feature... the airplane headphones aren't nearly as good as what comes with my phone.)

The airline makes this feature available only in the business/first class cabin. I don't believe in conspiracy theories, but if I was a state that wanted to hijack the phones of important business people, politicians, and government officials, these are the USB ports that I'd be subverting.

So... what can you do?

  1. Use charge-only USB cables. These simply pass on the power wires but not the data wires. They are 100% effective against bad actors. The downside: when you do need data, you need to carry a different set of cables. Available in USB 2.0.

  2. Use a USB-condom. This is a device that plugs in between your normal cable and the computer and blocks the data lines. The downside is that you now have a second device to carry around. The upside is that your phone will charge faster! The PortaPow brand has an extra little circuit that tells the device to go into fast-charge mode! I love this feature! (Available for USB 2.0, 5-pack, or built-into a USB 3.0 cable. In the PortaPow product line, make sure it mentions "3rd Generation" otherwise it may be an older model that is specific to Apple or Android but not both.

  3. Use a USB cable with a "data switch". This cable is normally power-only, which is what you want 90% of the time. However there is a button ("Data Transfer Protection On/Off Switch") you can press that will enable data. An LED indicates the mode. This kind of cable is much safer and secure, plus more convenient for the users. It follows the security principle that if you make the defaults what you want users to do, they're more likely to follow your security policy. Available in Micro USB.

I recommend that all IT departments give out USB cables with "Data Transfer Protection On/Off Switch" as their default. Include one with every new laptop or mobile device that you hand out. For a tiny additional cost you get a lot of benefit.

The USB condoms are useful when you need to support a variety of USB connector types or cable lengths, since it requires that you use your own cable. I keep one in my travel bag. I also put a few in the datacenter so that when someone is tempted to charge their phone by plugging it into one of our servers, we can instead hand them a condom. No matter what type of connector is on their phone, they can use the condom because it connects to the USB B port on the server side.

Lastly, these devices make great gifts for the holidays. For the geek that has everything, they probably haven't thought of this!


  • PortaPow
  • Monoprice
  • Thanks to Scott Hazen Mueller for alerting me to the Komarov article!

Posted by Tom Limoncelli in Technical Tips

No TrackBacks

TrackBack URL:

5 Comments | Leave a comment

Thank you!

Link to amazon on (3) "Use a USB cable with a "data switch"" is broken

One complication is that most modern Android phones use Qualcomm Quick Charge to support faster charging times, and the handshaking spec that allows the phone to charge at its maximum supported voltage and current uses the data pair for signaling. So you can use a data-only cable to charge the phone, but you'll get slower charging. I would still recommend it for any unknown USB charger (i.e, anything where you can't verify what the other end of the USB connector is plugged into.)

Now a days there are very low quality USB cables are available into market. Yesterday i was doing work on paper writing task and suddenly my USB port become heat up and new one is very low quality.

Charging with charge only usb cables are super slow , the data connections are needed to enable the proper amount of power throughput of the cable .

I would not recommend charge only cables that most people use , unless you like super slow charging .

Another side to this coin: yesterday I spent half a day trying to set up some new MP3 players, not realizing that the two micro-usb cables on my desk were charge-only.
Inattention to user-interface experience is a big problem for computer security these days. Having visually identical cables, one with, and one without, data connections is the real problem. The usb standard-setting group made a big mistake when they allowed identical markings for apparently standardized cables that function differently.
Yes, somewhere, some time, some system may be compromised because somebody used a data cable while just trying to charge some device. USB flash drives are a much more likely vector of infection, and they obviously can't be "charge only".
If you security mavens want to "protect" us users, you need to start paying a little more attention to human factors. Give clear and understandable rationales for denial of service, so we can figure out how to proceed to do our jobs. All too often, all we get is a blank refusal.

Leave a comment