Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)
I've had booths on cyber security trade fairs hand out USB flash drives as prizes for spinning a wheel, with no awareness how that might seem odd. I guess people would be reluctant to accept them at BlackHat, but everywhere else people are very trusting towards USB stuff.
I take free USB drives any day. I always test them on the pc that belongs to the coworker that nobody likes first though ;)
In all seriousness though - 128gb usb 3.0 drives can be picked up for $10 on sale all day long. Absolutely no reason to trust some $0.25 random 4gb that a stranger gave you aside from running R-studio on it for fun or something.
I once worked at a place where the security team had a USB stick delivered to all the desktops with some digital brochure about not trusting strangers or some such. Not the cyber security team, but still.
We send staged phishing emails internally to see who takes the bait.
Leaving USB sticks lying around with some sort of callback to see who plugs them in is a really clever idea. We could probably catch the serial number range in Defender ATP.
> Many people, including many people on this site (and, yes, including myself) wouldn't think twice about plugging into an available port if they need a charge. Maybe I don't plug into an unlabeled port in some random location where it doesn't look like it belongs, but honestly I wouldn't think twice about charging at a designated area at a conference.
If you're already committed to carrying Yet Another Accessory, then why not just carry a small portable charging battery. Some models are not much larger than that USB connector, and could charge the phone more than sitting babysitting a charging phone for an hour.
Yeah, I normally carry bigger portable batteries but I've got a bunch of small ones that I've typically been given by vendors which are probably good for at least getting a phone off life support.
Yes, I was in the hospital waiting room recently and they had a charging station with each type of available cable.
I charged me phone, fully aware of these sorts of issues. I just went with my gut instinct that, in that environment, it's highly unlikely that the cables have been "trojanized".
The FBI can warn about it, but what can you really do? You just have to trust your judgement as to what you feel are safe charging stations, and which may not be.
Android asks me if I want to have a device to allow access, This probably prevents attacks against the upper layer protocols. Is the risk vector here the USB stack itself?
I think its possible to disable the USB 'protocol' in Linux, but it would require advanced permissions on android, which probably doesn't work out of the box, with IOS who knows or cares.
This is a joke, but it could actually be a thing. An isolator that you can use to protect your device while using those unknown ports. I would call it an isolator though, or firewall, not what you called it.
Also now USB-C condom is also available, It was an issue since USB-C used data lines to negotiate voltage and I was tracking its need on my problem validation for a while now[1].
I'm not completely sure, I read on reddit that USB-C condom has some form of proxy circuit to negotiate voltage; I hope someone with better knowledge in this can explain it better.
You can even make a type of them yourself with rudimentary equipment, by cutting the data lines and connecting/not cutting the power lines. I believe you will lose the ability to negotiate faster charging, and I don't know if USB-C will work at all, but it still works otherwise.
So far, web standards don’t support online supply of direct (constant) current, alternating (sine wave) current, they can only provide imaginary (square root of stealing your) current.
So you can’t trust any site for power.
—-
Although teleporting power Via quantum entanglement has been demonstrated as possible given a line of communication.
So crazily, “power over data” may happen one day.
Perhaps, we can all look forward to hackers draining our last 1% of battery power as a reward for not using end-to-end power encryption.
I still get the occasional popup that gets past AdGuard on my phone and tries to add spam to my calendar on my iPhone but it’s definitely a lot better than it used to be. I got one a few months ago that had instructions on installing a custom management profile, now that cracked me up.
If you've spent any time on here you know that no one actually clicks the links to read the article. Users need only trust the pages with an orange header.
I mean the upstream comment is basically saying don't trust clicking any links on the Internet--even on a site that presumably weeds out really dodgy stuff quickly. Indeed, not using the Internet is a solid, if rather extreme, security process to follow.
The thing about Reddit is that it has greater "discoverability" through search, profiles and algorithmic "hot" pages, so communities like that inevitably become swamped with low quality posts. There's a few niche subs that just degenerated into posting photos of purchases that arrived in the mail today instead of actually discussing the use of the tools.
(Though, yeah, I'd avoid a lot of "normal" activities if I ever attended BlackHat.)