FBI Warns Against Using Public Phone Charging Stations

The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer. From a report: "Avoid using free charging stations in airports, hotels or shopping centers," a tweet from the FBI's Denver field office said. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead." The FBI offers similar guidance on its website to avoid public chargers.

Well...

[Locke2005]

Duh!!!

Re:Well...

[The-Ixian]

I think that the answer could also to be to always travel with a USB condom [howtogeek.com]

Re:Well...

[timeOday]

That is smart. I was thinking Android should ask, "allow data connection?" when you plug in. But a simple hardware solution like a charge-only cord makes a lot of sense. Maybe not as simple as it seems since USB has a complex algorithm for negotiating charge rate.

Re:Well...

[Scoth]

It does in any remotely reasonably recent version of Android (although I think some carrier customizations may allow you to set a default, and Developer Options can as well. I've used PIxel and Cyanogenmod/LineageOS so long I forget) but the risk is that there are various exploits and bugs that have allowed things to get in. Both Android and iPhone have had those issues over the years.

USB Condom works by physically disconnecting the data lines from the phone. Most of them just short the data lines which sets USB to charge at a standard 500ma which means it's pretty slow but if you just need that couple percent to make a call or text or get an uber while out and about it can be enough. I suppose a fancier version could actually sit in the middle and do its own USB-C PD on both sides while avoiding letting anything get to the phone, but by the time you're doing that you might as well just bring along your own AC adapter.

Re:Well...

[DarkOx]

Right - the just cut the data lines usually which results in slow charging. So its not much of a option if you are looking to go from 10% to 80% of your battery capacity before you hop a flight.

However in that instance there is usually A/C power just as handy USB jacks and its not a big deal to carry a little adapter you 'trust' in your bag.

I always keep a cable for with USB datablocker on the end of it in my messenger bag when on the road there because where it supper useful is rental cars and motel rooms - two place you will find these days with less than trust worthy USB jacks, but also where you will usually be there for a while and slow charging is fine.

Re:

[AmiMoJo]

You can just short the data lines together on the phone side. Shorted data lines indicates a simple USB charger profile that can supply up to 1.5A. Not super fast, but not super slow either.

In practice most chargers that can supply over 1.5A will supply that current regardless of any handshake with the phone, so that method often gets you 2-3A.

Re:

[Anonymous Coward]

If using USB-C you can use a PD-aware "condom" that will negotiate a better charge rate. Just make sure you use one that physically disables writing to its firmware memory or settings.

Personally I don't use public chargers because even without exploits you don't know the condition of the thing. You could end up plugging in to a USB killer.

Re:

[Chris Mattern]

Seems to me that correct (if a tad expensive and inconvenient) solution is to travel with your own phone-recharging battery (something like this: https://www.amazon.com/Anker-P... [amazon.com]). Only use the recharging station to recharge the battery. Then use the battery to refresh your phone. Your phone never plugs into a source you don't trust, and the recharging station can't hack your battery. And if the recharging station is a USB killer, you're only out the battery, which costs a lot less than the phone.

Re:

[Bentbob]

If someone had asked me before the Sony Playstation Portable if there was a software hack vector via batteries, I would said, "No, batteries don't contain software to hack".

I am not going to outright claim that hacking the firmware within a USB power bank is likely (it'd be make and model specific for each exploit if it was at all possible) but I would no longer outright claim "no, its not possible".

The Sony PSP battery is probably more an outlier as from memory the Pandora battery hack was following a proc

Re:

[AmiMoJo]

Anker stuff is good, but just wait for the comments about trusting a Chinese brand. It must surely be a CCP malware delivery device.

Re:

[Xylantiel]

Can anyone point to a zero-day exploit that circumvented the default disabled data connection? (and isn't patched?) Neither of the linked articles do. My Android devices don't even prompt, you have to take initiative and go through multiple steps (pull-down, select, select) to turn on the data connection. Are there apps that circumvent this behavior? I don't use an Apple device so that may be more vulnerable than Android, but it would be nice to have some actual information instead of vague scary langua

Re:

[Lost Race]

Nobody's going to waste a zero-day on this kind of attack. They will use exploits that are years old and already well-known. It's only a risk for older or otherwise unpatched devices, which are actually very common in real life.

Re:

[AmiMoJo]

Certainly for iPhones there are Israeli companies that claim they can unlock any iPhone with just a USB connection.

Re:Well... A fancier one is just a battery

[will_die]

A fancier way is to get a USB battery, small and cheap. You can get them that are the size of a lipstick case.
The battery goes to the unknown charger and you charge your device from the battery.
Side affect is you have a charged battery that can be used in places without chargers.

Re:

[BeaverCleaver]

USB Condom works by physically disconnecting the data lines from the phone. Most of them just short the data lines which sets USB to charge at a standard 500ma which means it's pretty slow but if you just need that couple percent to make a call or text or get an uber while out and about it can be enough. I suppose a fancier version could actually sit in the middle and do its own USB-C PD on both sides while avoiding letting anything get to the phone, but by the time you're doing that you might as well just bring along your own AC adapter.

You can usually get 1.5A out of a USB port, using just a couple of passive resistors: https://hackaday.com/2023/01/0... [hackaday.com]

As the linked article says, there are of course exceptions to be found.... but if you're worried about filling your battery before you get on a flight, this should get you 3x the charge rate without exposing your device to nasty USB hacks.

Re:

[CohibaVancouver]

I was thinking Android should ask, "allow data connection?"

Your flavour of Android doesn't do this already?

I've been using Samsung Galaxy smartphones for nearly a decade and they've all done this.

Re:

[timeOday]

I haven't noticed it asking but probably because a USB charger doesn't ask to initiate a data connection?

Re:

[CohibaVancouver]

Yes, good point. It only asks if the USB connection is trying to initiate data. If I just plug it into a charger, it doesn't ask.

Re:

[aRTeeNLCH]

Either that or a wireless charging pad, or as mentioned elsewhere, a powerbank, or (as I do nowadays) both. The reason I travel with my wireless charging pad and a powerbank is that I can connect the three and keep them in my coat pocket or bag without risking the USB-C port on my phone. Btw my charging pad is magnetic, and I stuck an iron ring behind the phone cover on the back.

Re:

[Locke2005]

I was thinking one could carry a special cable with USB power lines only... but if you're going to do that, why not just carry your own charger?

Re:

[Adambomb]

Basically had the same response in my head, this is like bullet point #4 on pretty much all corporate "cybersecurity awareness" bullshit training for years now.

Re:

[fermion]

How far does this go? My car?

Re:

[Comboman]

Only if you have a really long charging cable.

Re:

[Methadras]

There isn't a single instance of this occurring anywhere. Neither the FBI nor the FCC has proof that it has occurred. None and there isn't an instance anywhere showing any of these public stations being hijacked.

Re:

[muh_freeze_peach]

there is no need to identify the police as being political. they are the enforcement of a political system.

Re:

[fermion]

Unfortunately for us these losers are the first ones to cry when stuff gets stolen. I do not assume they have any real money in their bank account, but I do assume they might have naughty pictures of children they donâ(TM)t want exposed. Which is why they fear law enforcement.

Wouldn't this be a hardware problem?

[NMBob]

Why have we slipped so far into the absurd to require a simple + and - voltage connection be allowed to carry any information? Engineering Gone Wild.

Re:

[Vlad_the_Inhaler]

USB = Universal Serial Bus, and I can't imagine this is what the EU were thinking of when they mandated charging via USB.

Re:

[F.Ultra]

What the EU did was to let the industry decide on what the standard should be and they (beside a single vendor) choose it to be USB C so that was what it become.

Re:

[Fly Swatter]

No it is a stupid software problem, remember autorun.inf?

Even if you tell your phone to only use the usb for charging, who always remembers to do that before plugging in? Or worse it auto-discovers things BEFORE you tell it to only use the 'new usb possibly hostile device' for charging only.

I guess use a USB cable with power only. Do cables without data wires actually exist?

Re:Wouldn't this be a hardware problem?

[Zak3056]

Do cables without data wires actually exist?

I had a "fun" conversation with a user a few years ago when they were trying to tether their phone and all their phone would do was charge. I told him the cable was the problem (it was a two wire cable) and the angry user insisted that wasn't possibly the case, as he "always used this exact cable." Handed him a cable that actually had data lines and worked fine, but the response was "that's not ok, I want to use my regular cable." Even showing him that the fucking pins were physically not present in his cable wasn't enough.

So... yeah, they do exist, but god help you if you issue them to morons.

Re:

[UpnAtom]

My phone running Sailfish, asks and defaults to charging only.

Re:Wouldn't this be a hardware problem?

[UnknowingFool]

Ummmmm? USB was made initially to carry information. It can charge devices and consumers are demanding more and more power draw as USB C/Thunderbolt is looking to be the defacto power/connection standard for laptops. This is not "Engineering Gone Wild" as much as "Current Trends in Electronics" as there are not rogue engineers flashing their naught power connections to the general public.

Re:

[suutar]

I was wondering whether someone had made a USB widget, F-M, that explicitly only negotiates power and won't pass data.

Re:

[suutar]

and of course I find a link to one 3 posts down :)

Re:

[thegarbz]

and of course I find a link to one 3 posts down :)

I'm not sure you did. All of the examples I've seen linked here specifically don't connect the data pins. They result in slow charging speeds precisely because no "negotiation" is taking place.

But yeah I'd totally be up for a product that sort of negotiates USB-PD bi-directionally but blocks everything else.

Re:

[UnknowingFool]

From what I can tell pins 1 and 4 on a USB Type A connector would be the power pins (the two outer edge pins) and the center pins are the data pins. To create a power only connector, simply exclude the center pins. As a matter of caution, charging stations should only include the power pins but most all bets are off if they have been modified.

Re:

[ukoda]

Those center data pins traditionally signaled charging current available in dumb chargers by shorting them together or setting voltages using resistors. Take out those pins and some devices will only charge at the default 500mA.

Regardless they make such cables without the data lines but most are not clearly identified so end up in the rubbish bin when they pissed off the owner by failing to transfer data when needed.

Re:

[thegarbz]

Why have we slipped so far into the absurd to require a simple + and - voltage connection be allowed to carry any information?

Because not everyone wants to carry around a device specific adapter to plug into an electrical system which was created in 1882. Data negotiation for power is in fact very sane and common in many different power systems.

Also no information is carried on simple +/- connections. You can disconnect the data lines on USB and still get your simple +/- voltage for your simple application.

I personally expect something smarter from a modern power system.

Re:

[jenningsthecat]

Why have we slipped so far into the absurd to require a simple + and - voltage connection be allowed to carry any information? Engineering Gone Wild.

The data connection isn't required to charge a device - but it IS required to allow a device to be charged at its maximum safe charging rate.

USB-C is multi-purpose and highly flexible. That flexibility necessitates voltages in excess of 20 volts, and maximum currents of several amperes. The only way a charger can know what's suitable for the device it's powering is to 'ask' the device. I suppose you could use analog means, such as resistor values, but that would require additional conductors and severely re

Re:

[AmiMoJo]

Because that's the only way to get universal charging.

The device needs to talk to the charger to find out what its capabilities are, and if available request higher voltages. Higher voltages are needed to keep the current down to a reasonable level, otherwise the charging cables get very thick and stiff.

Some devices try to avoid doing that by slowly ramping up current draw at the default 5V. When the voltage starts to sag they assume they are at the maximum available current. It's not a very good system tho

Why not carry this?

[FictionPimp]

https://www.amazon.com/PortaPo... [amazon.com]

Seems like a easy solution...

Re:

[thegarbz]

I guess at some point if you're carrying something extra it may as well be the tiny charging brick for your device. This is especially a big non-issue at airports and hotels, a place where people often go with a fully loaded bag expecting to be somewhere where they aren't able to charge their phone publicly, i.e. everyone going to an airport or hotel normally has a charging brick with them anyway.

Your little cable is a good solution for a shopping mall though, but then I don't know anyone who has used a cha

Travel with a power only cable

[pusoozer]

Charging cables do not have to have the data lines, and I'd like to see the hack through the power lines!

This is why...

[YuppieScum]

to carry a "charging-only" cable when travelling - one that doesn't have the data pins connected.

Your device will charge slower than you might be used to, as it won't be able to negotiate with the charger, but it will charge safely.

Also USB Adaptors

[SuperKendall]

to carry a "charging-only" cable when travelling - one that doesn't have the data pins connected.

An option I like is to have a few data-only USB adaptors, that way you can just bring long cables or whatever you like... just have to remember to actually use them. And where you put them come to think of it... hmm.

Never Trust Anything

[zenlessyank]

Simple mantra.

Charging station sponsored by NSA

[dmay34]

Last year I saw a "Cell Phone Charging Station" booth at an airport that was sponsored by the NSA. It was really a public service announcement ad about data security, but I thought it was really really funny.

Wireless charging

[crow]

This is a case where wireless charging wins. There's no data path with wireless charging. But not all phones support it, so it's not a complete solution.

In a pinch, you could bring a wireless charging pad that plugs into USB-C. The pad would negotiate power, so it could do better than a power-only cable.

slot machines have the power only ones!

[Joe_Dragon]

slot machines have the power only ones!
as they don't want to have an open usb into the slot CPU

Re:

[F.Ultra]

So people stay so long at slot machines that they now have a charging port for your phone?

Re:

[Joe_Dragon]

some people also live stream slot play

Re:

[EvilSS]

Go to a casino that has cheap slots on a Tuesday morning. It's a pretty sad sight.

Re:

[F.Ultra]

That is why I was asking, I have no casino to go to (not a US citizen).

Wireless charging, anyone?

[andyring]

I've seen more places with wireless charging pads. Those should be fine.

English Language Translation

[Miles_O'Toole]

"Goddam crooks stole our grift", said FBI Interim Director Stone Rockhard after half a dozen king cans of Canadian beer and a few shots of tequila.

Easy fix for frequent users

[Residentcur]

I have some bright red interceptor thingies that allow only the power lines through to the device, short-circuiting the data lines. Using one of these should make you safe from these simple hacks.

Sure it's possible but how prevelant?

[jacks smirking reven]

I feel like I have heard about this for as long as public chargers have been a thing. Back when I designed a charging station system that was installed in airports one of the considerations was putting in a charger that specifically didn't trigger any data notifications on phones so as to avoid the perception of this issue and this was like over 8 years ago.

Most charging stations in public spaces really are pretty dumb simply to save money on the systems so installing some type of data line into them is go

You mean they put power and data on the same cable

[AnonymousHkr]

Yes, they do. Yes, they do.

why it works

[awwshit]

This kind of thing works because for most people no battery means 'any port in a storm'.

Who is the jeenyus who

[Tablizer]

...forced mixing of data and power? That was a pretty obvious risk even a decade ago.

As an option, fine, but there should be an easy way to have a clean separation. One approach is a "Y" end to the chord with a power plug and a data plug. If you need only one or the other, then only plug that in

Another approach is a hardware switch on the phone for "power only".

Re:

[Ksevio]

It makes perfect sense for USB to provide power to devices plugged in (as did serial cables and pretty much all data cables).

So you need to add a port on your phone for data, also makes sense to use USB as that's the most common, then why not allow charging at the same time as data transfer since power is already available.

So now you have to decide on a power connection. There's already a USB port on the phone, everyone has USB cables and chargers, so an extra one would be unwanted.

Sure you could make some

Re:

[Tablizer]

> You can add a software switch, which is what phone makers have done

Which can be hacked around, which is why I recommended a hardware switch.

And how long until EV's have the same thing happen

[taustin]

It's inevitable, especially since something close to half the population of the US have no choice but to use public charging stations, and the chargers have to be talking to the car computers to avoid overcharing, fires, explosions, etc.

And we've seen many, many stories about how insecure the software on automobiles are.

Re:

[ukoda]

Take a look at the spec for CCS charging, https://en.wikipedia.org/wiki/... [wikipedia.org]. At it's basic level it is not a data interface, it is a control system using different voltages and pulse formats to signal charging state and current.

There is a higher level communications available but is feature set limited to the job it needs to do. It is not a general purpose communications link like USB.

Re:

[taustin]

That's the intent, anyway.

But as I said, we've seen many articles on how secure automotive computers aren't.

Re:

[ukoda]

Look at smart home power metering as the closest match. People are not having their homes hacked from that, it is too dumb, the worst you could do is turn off their hot water. It is far easier to use their Internet connections or RF remote door access. With cars it the infotainment systems and 'connected' vehicle features that are attack-able. The CCS standard is simply too feature limited to be a likely attack vector, the worst you could do is stop a charging session.

Re:

[bussdriver]

turn off the furnace. while at work. in the winter.

The result of genius design decisions

[Chris Mattern]

"Let's combine the charging port and the data port. There's no way that'll ever bite us in the ass!"

Re:

[AnonymousHkr]

Genius as in achieving operational objectives? Yes, Genius.

Re:

[thegarbz]

It is a genius design decision. Data is carried with power in many situations. Your battery for one (the S port on your lithium cell), even the power grid itself often has a fibre strung up on top of the high voltage power lines.

Only the dumbest of dumb systems like your wall outlet provide power without communications.

just usb?

[geckoFeet]

Waiting for a similar warning about electric cars ...

Re:

[ukoda]

Take a look at the spec for CCS charging, https://en.wikipedia.org/wiki/ [wikipedia.org]... [wikipedia.org]. At it's basic level it is not a data interface, it is a control system using different voltages and pulse formats to signal charging state and current.

There is a higher level communications available but is feature set limited to the job it needs to do. It is not a general purpose communications link like USB.

[sarcasm]: Now tell me again how it is my car only charges from coal?

Cat and mouse game...

[ctilsie242]

One can have a charge-only cable, or even better a cable with a switch for allowing/disallowing data (why isn't this a thing, bonus points for a screen to show what charge it is doing), and still be vulnerable to USB killers.

Overall, the best thing is to carry a charger around and use good ol' 240 volts (or 120 volts if in the US). If something happened and there was a spike, the MOVs on the charger should take care of that and not fry the phone (assuming something that isn't a direct lightning strike.) H

Powerbank is the solution

[redback]

Carry a powerbank. This alone will get you through many charging emergencies.

If you need more power, you can use the public charger to recharge the powerbank.

10 YEARS

[bill_mcgonigle]

Here's a decade-old story on this problem:

https://tech.slashdot.org/stor... [slashdot.org]

The FBI needs to be devolved back to the states.