Too simple? USB power charging

30 July 2013
micro usb cable attached to a Kindle

I was at a client meeting recently when a senior manager, tapping onto his large and evidently power-hungry smartphone, suddenly let out a mild curse. "My phone's about to die and I forgot to bring the charger."

"No problem", said I, "I always carry a micro USB cable so I can charge my phone straight from my laptop. Just plug it in here."

"You mean it'll fit my phone as well?"

"Absolutely. Most new phones and devices these days use standard micro USB for power."

By the end of the meeting the phone was charged up and his delight was genuine.

A double win for simplicity. Not only do we now have a standard power interface across devices, but that standard is one that is already ubiquitous. Simplicity through double duty.

Double trouble

However, listening to a fascinating discussion between Richard Campbell and expert penetration tester Paula Januszkiewicz the other day, I was as struck as they were by the realisation that this is actually a bit mad from a security point of view.

Think about it. That manager allowed his phone to be connected to my computer via a cable carrying not only power (which he wanted), but also data.

Or put the shoe on the other foot: I allowed my laptop to be connected to his device.

We both did it without thinking about the potential for data transfer, which could quite easily consist of malware: key loggers, root kits or general viruses waiting to leap from either device.

Of course any PC or device should be running some form of real-time protection against attached "alien" hardware, but the point is that psychologically we are less cautious than we would be faced with a request to insert an unfamiliar USB stick. In our haste to get our device charged, we focus on the power aspect and ignore the data capability. It therefore becomes a potentially more effective attack vector for hackers.

Next time you charge your phone or tablet, think carefully about what's at the other end of the cable.

Comments

  • Formatting comments: See this list of formatting tags you can use in your comments.
  • Want to paste code? Enclose within <pre><code> tags for syntax higlighting and better formatting and if possible use script. If your code includes "self-closing" tags, such as <cfargument>, you must add an explicit closing tag, otherwise it is likely to be mangled by the Disqus parser.
Back to the top