Public phone charging ports…beware

[y_p_w]

It should be fine to use your own cable and plug on outlets that are pretty much everywhere in airports these days. I can sit at a gate and there will be an outlet close by. I usually use the ones on the plane.

Sometimes I've found myself with just a cable and nothing else. Strangely enough I've found a lot of those USB ports weren't actually powered.

But I generally carry a pocket sized USB power pack along with a 4 inch Lightning cable. If my phone battery is low or if I just want to use it off of the power pack (which should be more efficient than one battery charging another battery).

I don't really see that many USB power outlets, but I have seen some. I've been to malls where they had combo outlets, but they might not actually be connected to power or working. Some restaurants and cafes have them. And of course there are those ones set up for free charging (with captive cables) while you shop using an access code to retrieve.

 

[y_p_w]

I would think that it would be difficult to somehow tamper with or otherwise add malware to an airplane seat USB charger.

I think the big worry would be about some sort of inside job where maybe maintenance people are paid under the table to install unauthorized power ports with malware installed. But then again there's a trust factor with almost any USB device. If it's done on the inside, it might be possible to install a substitute port connected to electronics that may look to transfer some sort of malware. That could be done to almost anything, including power adapters, cables, computers, USB power ports, USB power packs, adapters, etc. I've got an aftermarket Lightning to headphone jack adapter which could theoretically be able to operate a small program to install firmware. That's distinctly a possibility with anything that uses a combined data/power arrangement. The only way to completely avoid it would be to go to a power only configuration.

 

[dishdude]

This seems a bit far fetched. It's pretty rare I have to charge away from home, but when I do I use my own 120v adapter. I don't trust the public USB charging ports to put out the correct voltage without frying my device and I doubt they support fast charging. If there was ever a time you want to charge your device quickly, it's when you need to charge at the airport.

 

[haggler]

There’s still a matter of trust. I recall there were digital photo viewer frames that had malware built in that could spread through the memory cards used to load photos. Most USB-A power adapters only provide power without any data link, but it might be possible to insert circuitry that stores malware and looks to transfer it if a user sees a “trust” pop up and allows it. Might be possible with cheap, noname stuff. Even cables.

If you're getting a message to "trust" a data connection when only connecting to a power brick, you need to discard either the brick or cable ASAP. Generally, if you dont "allow" a data connection you wont get compromised unless there is a specific vulnerability that can bypass those controls. Even if you do, unless you phone is very old with no security updates or rooted there's little chance of having your phone compromised. Generally the system is only running as a user, and only your user visible data would be at risk , but not the integrity of the phones OS. A much better practice would be to purchase a phone that issues regularly security updates for the length you intend to keep it, install regular automatic updates, and do not root your phone.

 

[y_p_w]

This seems a bit far fetched. It's pretty rare I have to charge away from home, but when I do I use my own 120v adapter. I don't trust the public USB charging ports to put out the correct voltage without frying my device and I doubt they support fast charging. If there was ever a time you want to charge your device quickly, it's when you need to charge at the airport.

This setup (36 ports seems a bit cramped I'd think) says each outlet is rated at 5V/2A (although a different part says 5V/1A). I'm not sure about USB-C, but with OEM or officially licensed Apple Lightning cables, there's a requirement for overvoltage protection. I wouldn't worry about too much current because that's always controlled by a device's internal power management.

https://www.hyte.pro/product/h36.html

I was at an airport fairly recently and saw tables that were set up with power outlets but no specific USB ports. A lot of people were using them including some pilots.

 

[y_p_w]

If you're getting a message to "trust" a data connection when only connecting to a power brick, you need to discard either the brick or cable ASAP. Generally, if you dont "allow" a data connection you wont get compromised unless there is a specific vulnerability that can bypass those controls. Even if you do, unless you phone is very old with no security updates or rooted there's little chance of having your phone compromised. Generally the system is only running as a user, and only your user visible data would be at risk , but not the integrity of the phones OS.

Sure. But there can be lapses even with people who know what to look for. My parents wouldn't know what to do and might quickly approve something just to get rid of an annoying message. I mean - they're the ones showing me text messages claiming that their "Amazon account has been compromised". Whoever does this sort of stuff isn't looking to get everyone, but enough to make it worth the effort.

 

[PimTac]

Sure. But there can be lapses even with people who know what to look for. My parents wouldn't know what to do and might quickly approve something just to get rid of an annoying message. I mean - they're the ones showing me text messages claiming that their "Amazon account has been compromised". Whoever does this sort of stuff isn't looking to get everyone, but enough to make it worth the effort.

I’ve been in airports with those charging benches and saw phones that were charging unattended. A lot of people are very lax with their things to begin with.

 

[haggler]

Sure. But there can be lapses even with people who know what to look for. My parents wouldn't know what to do and might quickly approve something just to get rid of an annoying message. I mean - they're the ones showing me text messages claiming that their "Amazon account has been compromised". Whoever does this sort of stuff isn't looking to get everyone, but enough to make it worth the effort.

I had edited my response but I'll say this again for others. For people like that, even my parents, I'd tell them to install regular security updates (automatic) as general protection against this type of attack. In order for something to connect to the phone and compromise the system it would have to basically get root access. This is not easy to accomplish in this attack scenario with phones that have regular updates; so the attacker is relying on the person clicking "allow" (or bypass of this) then some root vulnerability. Sure if that attack is run against thousands of phones (similar to the amazon texts) you might get a prepaid phone running some old a** version of android that could be compromised. IMO the risk of this type of attack is slim compared to others, all of which can be mitigated by regular security updates.

 

[bobdoo]

"Now, a researcher who goes by the name Dark Purple has created a USB device that can permanently destroy much of a computer's innards, rendering the machine little more than an expensive doorstop. Within seconds of being plugged in, the USB stick delivers a negative 220-volt electric surge into the USB port. As the video below demonstrates, that's enough to permanently damage the IBM Thinkpad receiving the charge."

https://arstechnica.com/information...ve-can-fry-your-computers-innards-in-seconds/

 

[y_p_w]

"Now, a researcher who goes by the name Dark Purple has created a USB device that can permanently destroy much of a computer's innards, rendering the machine little more than an expensive doorstop. Within seconds of being plugged in, the USB stick delivers a negative 220-volt electric surge into the USB port. As the video below demonstrates, that's enough to permanently damage the IBM Thinkpad receiving the charge."

https://arstechnica.com/information...ve-can-fry-your-computers-innards-in-seconds/

What use would that be though? Malware might be used to log and transmit usernames and passwords. Destroying a computer would seem to be self limiting in its use. I’d hope overvoltage wouldn’t be a big issue. Sending an high voltage to a device connected by a cable may or may not result in damage. Apple authorized cables have protection circuitry that should act like a fuse. Not sure about USB-C which should be limited to 20V. But they’re reliant on the supply playing nice by defaulting to 5V and then negotiating whether to supply higher voltage. Not sure if there’s anything to keep a maliciously designed port from sending overvoltage to a device, like a fuse.

 

[dishdude]

I thought this sounded like BS.

https://slate.com/technology/2023/0...warning-bad-actors-threat-bogus-debunked.html