FBI Advising People to Avoid Public Charging Stations

The FBI is warning people against using public phone-charging stations, worrying that the combination power-data port can be used to inject malware onto the devices:

Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices that access these ports. Carry your own charger and USB cord and use an electrical outlet instead.

How much of a risk is this, really? I am unconvinced, although I do carry a USB condom for charging stations I find suspicious.

News article.

Tags: , , , ,

Posted on April 12, 2023 at 7:11 AM27 Comments

Comments

warren April 12, 2023 8:17 AM

I don’t carry a USB Condom

I carry the whole charging chain – wall wart(s), cable(s), and device(s) to be charged

Rarely do “public” charging ports ever work in my experience (especially in busy places like airports) – they’re always loose, pushing too little current, not sending any power …

Zack April 12, 2023 9:56 AM

I assume the usb ports themselves are usually just wired to power, so I’m not sure what they would compromise to make this happen. But they could probably make card-skimmer like rigs that plug into the existing usb power ports exposing a new usb port that tries some set of attacks when a device is plugged in. I do wish they would show some photos of them the way that card skimmers are exposed so you would know what to look out for, and I’m not sure how they would do this where it would appear remotely flush to the wall.

Vesselin Bontchev April 12, 2023 10:11 AM

There is not even a single case of malicious USB chargers used in the wild. It’s only a theoretical threat, demonstrated at conferences.

Craig April 12, 2023 11:24 AM

The history of the tech industry is full of things like this, where it seems so useful to do something, but people don’t think about the possible dangers even enough to see the most obvious possibilities. Mixing power and data on one connector sounds really convenient, but if it means that the default is to expose your data connection even when you only need power, the potential for abuse is clear.

tim April 12, 2023 12:09 PM

I rolled my eyes when I saw this notice from the FBI. This is has usful advice as “don’t use public wifi”. In both cases its just better to say “keep your devices up to date”, have a nice scone, and call it a day.

Steve April 12, 2023 2:18 PM

@Vesselin Bontchev and there is a single instance of a USB device exploding when plugged in but rare events happen every single day

AreYouKidding? April 12, 2023 6:10 PM

I plug my phone or tablet into my computer. Getting it to work right is always a pain in the ass. But once done, in minutes I can download EVERYTHING. Email. Address book. Photos. Videos. Texts. All my contacts. EVERYTHING

Will this work without my cooperation at a charging station? Who knows. Do I feel lucky? Nope.

@tim: Public WiFi at the airport has been questionable. Anyone can offer a hotspot and man-in-the-middle. If it’s encrypted, https, supposedly you’re safe. My browser has a zillion certs corresponding to all sorts of out-of-the-way countries. If any one of them has been broken…

Of course all this assumes your phone hasn’t been broken to begin with, with malware or spyware pre-installed at the factory for your convenience.

Andrew April 12, 2023 6:56 PM

Fascinating theme of disinterest here. Makes me think it’s worthwhile.

With all the remote zero days on modern phones coming out on a monthly basis, I’d consider it prudent to not plug a phone with cell service into any computer or car under your own control, much less someone else’s (e.g. a public USB port). Ever look at how much circuitry is inside those USB-C to Aux adapters that all the mainstream high end phones force you to use, if you don’t like bluetooth?

Krebs wrote about this 9 years ago
‘https://krebsonsecurity.com/2014/06/gear-to-block-juice-jacking-on-your-mobile/

Clive Robinson April 12, 2023 7:09 PM

@ Bruce,

“How much of a risk is this, really?”

What is “your risk” in a “target rich environment”.

On trick to get around it that can work is that you don’t charge your device but a “battery bank” as an intermediate step.

@ ALL,

There is a new “variation” on this “attack” people should think about…

You might see “battery packs” for “rent” in hospitals and the like…

Well the lithium-ion “Battery Managment System”(BMS) in such packs can be “replaced” by ones that have been “augmented” by a stealth “USB to Go” system.

I’ve built and tested a functional prototype by just striping down existing systems available for pocket change from “alibaba.com” and doing a software upgrade and soldering four wires…

Why did I build it?

Simple answer people don’t believe a vulnerability exists untill you have a “proof of concept”(POC) exploit to demonstrate directly to them.

So I built a POC for a consulting friend of mine to use as a “demonstration” to “certain types of people” in shall we say “GS” as a “product to be aware of”.

Hopefully they will take the hint and upgrade their security practices.

After all it’s well known that “Russian Crackers” are extreamly adept at “reprogramming” USB devices like USB thumb drives so they can sell low value parts as high value parts… You can even find instructions on the Internet in a “How-To” form, and after reading them you will realise “It ain’t rocket science”.

Carlo Graziani April 12, 2023 11:49 PM

How much risk is it now, or how much risk is it likely to become?

And, given the ease of carrying a charger around in a backpack on travel, and the far larger availability of electrical outlets than of USB charging ports, how does plugging into an Airport USB port pass a security cost/benefit analysis, irrespective of the risk?

Moonwalker April 13, 2023 2:33 AM

What “THEY” SHOULD warn you about:

The Broad, Vague RESTRICT Act Is a Dangerous Substitute for Comprehensive Data Privacy Legislation

‘https://www.eff.org/deeplinks/2023/04/broad-vague-restrict-act-dangerous-substitute-comprehensive-data-privacy

Miksa April 13, 2023 3:21 AM

I’m sure these attacks are possible, but I’m dubious of the value proposition for the attacker. I certainly wouldn’t be leaving a $120 cable laying around where anyone can snatch it. Where all it may take is someone to notice the cables on the neighbouring stations look slightly different. What even is the average payout for random compromised cellphone? Of course cellphones really should be able to detect if a charging cable is asking for any kind of data access and prompt the user. I’m curious how much data Clive’s battery pack could access and what kind of phone models.

I could see this being done if you could get $1 adapters you can plug in the wallwart end of the cable out of sight, but I assume those are made inaccessible, otherwise all the cables would be long gone.

I feel that instead of worrying about this attack you should look left and right while crossing the street in front of the airport. Concentrate your mental capacity to the real threats in your life.

Clive Robinson April 13, 2023 8:52 AM

@ Miksa,

” I’m curious how much data Clive’s battery pack could access and what kind of phone models.”

It’s what ever standard USB protocols are supported.

Put overly simply, your phone’s USB port serves some or all of the following purposes,

1, Provides a power connector (which can work both ways).

2, Provides a terminal style interface for certain types of upgrade (Android has a public specification for this).

3, Provides a “thumb drive” memory card style interface to the file system.

4, Provides a Hayes AT Command modem interface to the phone interface.

5, Provides a USB “On-the-Go”(OTG) interface to allow you to download from cameras and other devices.

6, Provides a “factory” interface at a low level to the phone hardware.

To see what is involved with these capabilities in USB3 and earlier, without bankrupting yourself joining the USB corp (www.usb.org), have a look for Jan Axelson’s 2015 book,

“USB Complete : The Developer’s Guide (5th edition)”

ISBN : 978-1-931448-28-4

And it’s companion web pages at http://janaxelson.com/usb.htm

Also have a look at MicroChip’s USB for PIC18 and other microcontrolers, that give sample code in both C and BASIC and very inexpensive / cost effective chips and development systems.

And above all “have fun” developing your own USB experimental gear (see chapt 4 “Enumeration” of the book for how to not need a very expensive USB Vendor-ID).

Not a name, either April 13, 2023 11:27 AM

Elementary tradeoff: convenience versus risk.

I see it as a minor convenience, and a major risk. Add in likelihood of the risk eventuating, and you can compute your own tolerances.

In my case, no way. It’s a silly convenience at best (what, it’s too hard to carry a power plug instead of just a USB cable?), so my own take is don’t be lazy and do the right thing, even if the odds are that it is safe on any given instance (remember, you are also fighting the birthday paradox with each repetition.)

modem phonemes April 13, 2023 2:08 PM

@ Clive Robinson

What about a nice portable device that can test “what is behind the wall” so as to identify unsafe sockets ?

Then besides device safety, everyone could also gather ad hoc statistics on how bad the threat is. And maybe put little stickers on the wall nearby 😉

Sydney Australia April 14, 2023 5:09 AM

In some ways it becomes an exercise in critical thinking and thoughtexperiments,as we’ve seen demonstrated in the discussion here.As opposed to a legitimate threat.

If the phone is encrypted. And it’s powered off because it will charge more quickly – and because one has to sit with the phone while it charges, which takes forever.
Then it won’t be possible to extract any data. Problem solved

Oh and the other thing to consider. Don’t store data of value on the phone. We know how utterly leaky smart phones are. So sure, use the internet for convenience. Mitigate the risks as much as possible. But don’t store data of any value on it – being, anything PII related.
Anything that can be exfiltrated should be nothing that can cause a loss or harm to you.

And if you’re like me, you use internet but won’t use the phone for anything activity requiring sensitive input, like banking or email, or indeed anything PII related

Clive Robinson April 14, 2023 6:57 AM

@ Sydney Australia, ALL,

“If the phone is encrypted. And it’s powered off …
Then it won’t be possible to extract any data. Problem solved”

Sadly no.

Firstly most modern mobile phones are “never truly off” even when the batery is allegedly discharged. As they are a little like Intels “Managment Engine” in this respect. That is there is a hidden hypervisor doing all sorts of “background” things (this came to the fore with C19 and bluetooth beaconing, though the ME equivalent had been there before that).

Secondly, most mobile phones “do not clear memory” on being “turned off” thus even if encrypted the “root of trust” or “encryption key” is likely still in memory and may be available (in part this came to light in the FBI and DoJ v. Apple in depth technical discussions).

Thirdly, and probably most importantly is the “Chosen ‘Take away’ effect”. Humans are notorious for only hearing what they want to hear and disregarding the rest. Worse they then cherry pick it for what is convenient… You are saying “actions A and B” must be done, but most will only do “action A or B exclusively” and assume they are “safe” because you said “Problem Solved”.

Security Sam April 14, 2023 10:43 AM

Avoid public charging stations in your daily trail
The FBI now warms the public behind a thin veil
No matter what prevention or protection prevail
The best you can do is akin to a dog chasing its tail.

Sydney Australia April 15, 2023 9:06 PM

Clive

Thanks for your comments.I hope your health is okay.
So, I was commenting on avoiding being low hanging fruit. Your response
was about, as it always is with you – a state of perfection. You perceive the need for absolute, total, perfect, military level security as a minimum, even with consumer grade electronics, and anything else is an epic fail.
This is educational for us on this forum. But makes security incredibly and frustratingly inaccessible for the majority. No wonder they give up and decide there is nothing one can do.

However again I note this discussion is beneficial as an exercise in critical thinking. I was going for a walk yesterday in urban Sydney and musing upon your response.It occurred to me the only actors capable of carrying out this threat in an airport are nation-state.It shifts from hollywood to entirely within the bounds of possibility.

And, what a useful exercise right? Entirely plausible. Why wouldn’t the NSA target a whole stack of major airports across the world? Restrict employee access between 3am and 4:30am. A quick swap of the USB cables. Maybe even include some that can send malware back. Bulk collection of phone contents as a fishing exercise. Why not?
Installing an additional device to store and transmit the collected data would be trivial. They would have such plug and play purpose built devices for field agents already in use

So why the FBI news? Well the only thing the FBI hates more than the citizens it is tasked to ‘protect’ are its governmental colleagues in the CIA and NSA. FBI got wind of this mission and decided to ambush it by warning everyone

&ers April 15, 2023 9:55 PM

@Sydney Australia

Critical thinking exercise – why bother using USB when you can do all
this (and a lot more) over the OTA?

hxxps://www.theverge.com/2015/2/24/8101585/the-nsas-sim-heist-could-have-given-it-the-power-to-plant-spyware-on

JonKnowsNothing April 15, 2023 11:31 PM

@modem phonemes, @Clive, All

re: little stickers on the wall …

Little stickers on the wall are like Tiny Bubbles in the Wine… they are only true (if at all true) at the moment the sticker is placed. Even if a test shows it’s a clean connection, there are tests that lie, see VW Dieselgate for faked test results.

While putting markers on the street was common in early internet days, when laptop carrying folks marched around corporate office buildings looking for an unsecured on ramp, it’s not going to solve much, except make the sticky marker company extra money.

Some time ago, a long time now, a NSA document called the ANT Catalog (1) was released into the wild. It was a NSA product listing of devices, any member of the NSA+Chums Club could order to do … what NSA+Chums do…. Most of it without legal authorization, much less a warrant.

The ANT catalog was really a hardware dream of micro miniature devices, that most folks wouldn’t notice with all with appropriate software to conceal their attachment to someone’s system. The extensive array of cables, with sealed plastic connectors, which gave the impression the cables were not tamperer with, actually concealed tiny devices of all sorts.

This is some of the stuff that’s bubbled up the Public Access Ports now. However, it’s been well known since Snowden.

There are No Masks and No Vax for the Internet.

===

Search Terms

Volkswagen emissions scandal
Dieselgate

1) This may still be on the internet or in an archive however, be mindful that it’s likely a trapped document, on a tracked site. Looking might get you a 4ES on your next boarding pass.

Clive Robinson April 16, 2023 7:29 AM

@ JonKnowsNothing, &ers, Sydney Australia, ALL,

Re : They don’t learn.

So to address your quite valid points in reverse order, starting with @JonKnowsNothing’s,

“There are No Masks and No Vax for the Internet.”

True…

But there are what are called “rubber prophylactics” and or “Personal Protective Equipment”(PPE) to stop infection from pathogens. And the idea does cross over…

Hence the expression “USB Condom” as a “cross over” term.

But… there is also the oh so effective measure of “quarantine” that in the EmSec world gets flipped and is called “segregation”.

Which I’ve discussed several times in the past on this blog with the idea of “Energy Gapping” as well as explaining in near layman terms how to go about doing it.

So “All is not lost” in this respect, if people constrain their urges just a little and behave in a more circumspect way… So I’m not an absolutist saying “just say NO”, but I am saying “No glove no love” or to misuse a once popular expression “you will get clapped up” 😉

So on to @&ers point,

“why bother using USB when you can do all this (and a lot more) over the OTA?”

As far as I’m aware I’ve been publically banging on about OTA’s multitude of issues longer than just about anyone else going back into the last century… Finally near a third of a century later the various parts of the “Mobile Phone Industry” are “taking it on board”…

But less clear to the general public was that what was billed as an OTA attack was something else. The OTA was “access to Flash ROM” something else that I and @Nick P went over at some length quite some time prior to the Ed Snowden revelations and subsequent release of the ANT catalogue (which having designed surveilence devices for now half a century I knew and said at the time was not close to what was commercially availble).

@Nick P thought, that hardware before 2005 was OK I from knowledge said 1995 (ie 486 era kit). History shows so far 1999 and all Pentium kit was bad news for “hardware insecurities”

But I also knew that what became known as “Evil Maid Boot attacks” actually were possible since the inception of the Apple ][ back in the 1970’s which was the first successfull “Personal Computer” befor IBM misappropriated much of it in their “Skunk Works” project. Which is why I could easily explain things like “persistant unremovable malware” in Lenovo consumer laptops and the potential mechanism that gave rise to BadBIOS.

The real problem is Flash ROM that now lurks in almost every chip you are going to find in devices. The secondary issue and what makes it virtually impossible to solve as long as Flash is in use is the myriad of access routes.

Something I developed a POC “air gap crossing” attack for, whilst considering the vulnerability of voting machines and talked about the mechanism here some time prior to Stuxnet being developed (then poorly deployed, thus becoming public).

So after what feels like longer than a decade and a half I’ve been looking for solutions… So far it looks like the equivalent of “hard endless quarantine” is the only solution with “consumer and commercial” equipment.

And for those thinking “data diodes” I’ve demonstrated how they are a “fail” due to the “error handling” being a “reverse communications channel”. That coupled with the near “trasparancy” of “consumer and commercial” equipment due to the issues of “Efficiency -v- Security” makes access to Flash ROM almost guarenteed for a patient and knowledgeable attacker.

Thus you need not just in use “hard segregation” you need to kill off any “Evil Maid” or equivalent beyond “End of Life” by hard physical measures such as guards with guns and secure disposal. Which Goverments do routienly deploy for security.

So onto @Sydney Australia’s points,

“FBI got wind of this mission and decided to ambush it by warning everyone”

Whilst US Agency “turf wars” are legandary, they are not always the cause of what looks like “odd” disclosure. Consider your,

“It occurred to me the only actors capable of carrying out this threat in an airport are nation-state.”

Is not quite true. Any “employee or contractor” who works at an airport and has “air side clearance” can “change face plates” on electrical and similar outlets in departure lounges, especially those pretend VIP lounges frequented by frequent flyer business travelers. Who would have one heck of a lot of information someone doing “industrial espionage” would as the saying has it “kill for” and if not on the travelers computer, the computer could just as easily be used to “get inside the perimiter” of their employers systems thus give both air and energy “gap crossing” in both directions. Something else I did a POC for pre Stuxnet, as a follow on from my “Hack voting machines” whilst I mentioned it, I did not detail the mechanism. However I did detail how to do a an “anonymous headless” botnet “command channel” that could not be taken down by the FBI or Microsoft methods, due to a variation on the “too big to fail” notion that came to the fore during the Financial crises.

But as with the real-estate industry you have to think about “location, location, location” of the airport.

Consider “China” that has a loudly proclaimed by US Agencies alledged history of,

1, “Advanced Persistant Threat”(APT) attacks by any route possible.
2, “Industrial Espionage” by any means possible.
3, Policies to attract business people into coming to China.

It’s also known from the CIA failure that got a lot of “agents” in China and Iran “disapeared” or “terminated” that China can be very much “ahead of the game”. So “methods and sources” for China are now very much better protected.

Thus it could be reasoned there is a very real threat that has “become known” about Chinese airports and hotels etc hence the odd way the warning was given.

So onwards and upwards,

“You perceive the need for absolute, total, perfect, military level security as a minimum, even with consumer grade electronics, and anything else is an epic fail.

Whilst the current state of affairs makes the “epic fail” true the “absolute…” part is not, though I can understand why it would appear that way.

Note from my above I’ve long in advance predicted on this blog the attacks that have happened.

Because in my perhaps rare “thinking hinky” perspective “they are easy to do” and also “others have good reason in their view to carry them out”.

Back when Stuxnet “hit the news” I was a lone voice saying “The real target was North Korea” and I got some unkind words from some here even though I gave very clear reasoning as to why I had concluded that due to things that had occured via Pakistan’s “Father of the bomb” AQ Khan. It was belatedly admitted by the US Government, effectively for the reasons I had pointed out. Later evidence from AV company “Suspected malware” repositories confirmed this, and likewise revealed much else US agencies had failed at but did not want the public becomming aware of hence the repeated attacks on Kaspersky who were not as easily amenable to the “suasion” US and other Five-Eye AV vendors are (think back to not just lavabit if you want proof it goes on ‘https://theconversation.com/after-lavabit-a-brief-history-of-securing-email-and-failing-at-it-16945 ).

However the “epic fail” I believe is jus a temprary “current state of affairs”. There is clear evidence that the ICTindustries are moving all be it glacialy slowly towards more security.

Which is why to speed things up in the past I’ve provided quite detailed ways to either eliminate current risks and reduce future risks. All of which are doable by most people if a little inconvenient.

And that is the real crux of the problem “convenience” and “target meeting” moronic employers set which positively encorages insecure behaviour by staff and the near total negation and undermining and denoralising of the staff tasked with trying to stop the organisation bring,

“The lowest of the low, low hanging fruit”

A point I know has frustated our host @Bruce and quite a few others.

“This is educational for us on this forum. But makes security incredibly and frustratingly inaccessible for the majority. No wonder they give up and decide there is nothing one can do.”

It’s actually worse than that, I take a very broad via on “security” especially when it comes to arising technology. You might remember I’ve repeatedly talked about not just “Software Defined Radio”(SDR) but radio in a wider perspective. Some have complained quite vocally about this not being suitable for this “security venue” and have said they were going to take their toys home or equivalent.

Yet just a day or so back @Bruce posts about a significant security issue from the past with,

https://www.schneier.com/blog/archives/2023/04/gaining-an-advantage-in-roulette.html

That actually involved many of the things I’ve talked about in the past such as mechanical wear and slop, but also the use of radio at the levels I’ve previously talked about which is why I could talk knowledgably on it.

My aim has always been to.

1, Help others get ahead.
2, Educate people at all levels from K12 through and beyond PhD.
3, Widen peoples scope of view.
4, Predict where future problems are likeky to happen and why.

Part of that is “challenging people to think”. That way things will not actually be “there is nothing one can do” except where the laws of nature/physics have the casting vote 😉

Hopefully I will be able to carry on doing so for many years yet to come.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.