Power over USB: when charging a computer means connecting to untrusted data-sources

Some of the proposed enhancements to USB 3 would allow it to deliver a whopping 100W of power. There are some pretty great implications for this, including the ability to safely wire and re-wire room lighting and other low-power applications without an electrician's help.

But as O'Reilly's Mike Loukides points out, putting data and power in the same cable also has some intense security implications -- if you can't charge your laptop without connecting it to an untrusted data-source, there's some crazy shenanigan potential.

I've seen USB 2 power-only cables that short out the data-wire, and I wonder if Mike's problem couldn't be solved by just having a power-only USB port on the back of your laptop for charging -- but I also wonder if people would buy such a laptop, or if they'd demand the convenience of being able to use any port for charging or data.

But I have one concern that I haven’t seen addressed in the press. Of course USB cables carry both data and power. So, when you plug your device into a USB distribution system, whether it’s a laptop or phone, you’re plugging it into a network. And there are many cases, most notoriously Stuxnet, of computers being infected with malware through their USB ports. It no doubt took some fairly good social engineering to get an infected USB stick into a computer in an Iranian nuclear facility. But it wouldn’t take any social engineering at all, just a lunch appointment or an interview, to plug an infected drive into the USB power distribution system at some future office complex. You might not even need access to the business you wanted to attack if, as the Economist imagines, power distribution is shared between different buildings in an industrial park.

The most security conscious among us frequently put epoxy in their USB ports. But epoxy won’t work if that port is your only way to charge your laptop. We’re going to need much stricter discipline than epoxy if USB is to become a power distribution standard. More than anything, we will need to be confident that there aren’t any backdoors into our system. A quick Google search is scary indeed, and the NSA is the least of our worries. Can we keep our data, and our systems, safe? History suggests that we can’t.

Power over USB

(Image: The left-hand-side connectors on a Lenovo X220, Yoe/Wikimedia)

Notable Replies

  1. bzishi says:

    I hope people don't use USB for household lighting. Low voltage DC rectified from AC (or via a switching power supply) is not a great way to power things efficiently. You must power batteries and computers this way--you don't have a choice. But things like lighting can run just fine off of AC.

  2. For power only charging for laptops, maybe a toggle switch to turn the data capabilities of one of the usb ports on and off would give the best of both worlds.

  3. A good switch mode power supply can be 95% efficient or more, and LED lighting, which requires DC, is far more efficient than incandescents and gaining on fluorescents. Since they require less current, the IR cable loss is mostly mitigated. I wouldn't try running a clothes dryer on 12 volts DC, but LED lighting? more and more of my house is illuminated with LEDs powered from 12 or 24 volts DC.

  4. The right answer, as always, is a hardware switch on the data line before it reaches anything you care about protecting. Then all you have to worry about is social engineering.

Continue the discussion bbs.boingboing.net

63 more replies