Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).
I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
It turns out several generations of USB controllers did "undefined" things when presented with "undefined" behavior on the data pins. Sometimes "undefined" was "just doesn't work", sometimes it was "put data in physical memory, bypassing the MMU and it's data protection features."
I've never seen it myself, but I worry someone out there has figured out how to do the same thing over the power lines.
> I believe the assertion is "just because you don't know ow how to do it doesn't mean it can't be done."
Okay, but tell me how it can be done if you want me to take the threat seriously. You could also say “always store your phone in a sound-isolating container because attackers can hack your phone with ultrasonics.”
> Okay, but tell me how it can be done if you want me to take the threat seriously.
That is not a precautionary attitude. I don't know how a candle left unattended in the middle of my granite counter island could light anything on fire, there aren't any drapes near it, but I'm not going to leave it unattended so I can find out.
I don't know how this is done, but not everything USB connected is assumed to be a charger. For example the 2FA hardware tokens aren't assumed to be chargers by default. So I imagine this might be done by faking a different device.
The malicious charger can pretend to be keyboard, mouse and screen, and just remote control the phone. Or just a keyboard, if you want to an easier implementation. At least Android phones are completely usable this way, with universal keyboard/mouse support and widespread USB-C display support. Without any confirmation steps.
If a keyboard is the attack vector, what I don't get is: why not suggest people lock their phones and charge them when they're locked? Or maybe even shut them down and charge them before booting. Is there any reason not to suggest those? It certainly seems more practical than telling people they're out of luck, unless there are other attack vectors - in which case, what are they?
Most people use public charging ports are the same ones who want to use their phone while charging.
Physical security is also a consideration, I wouldn't really suggest that people leave their phones plugged into the wall in a public or semi-public place.
What is in the connector? While the only evil usb connectors I have seen are the big ones. Putting evil in and lighting or usb-c should be more than possible.
Ask that your average parent using an Android 6 from a decade ago, not being able to update because the manufacturer decided to not support their devices anymore after a year.
There is no such thing as an updateable Android, because something will always be outdated. Even lineageOS builds are using decades old kernels and kernel mods that have never been backported or upstreamed.
Android has a huge update problem. I'd probably bet that stagefright or, say, the pegasus zeroday for whatsapp works still on a large percentage of devices even though it was leaked more than 5 years ago.
Hmm, if someone is using a phone from a decade ago, they will certainly be vulnerable to evil charging stations, as their battery will almost certainly be extremely tired (then again, phones that old were a lot easier to replace batteries in, so maybe there's some hope).
Most devices are charge-only by default, most users have USB debugging disabled, and those who know how to enable it, won't allow the adb server to connect to the phone (you have to explicitly give it permission).