Power over USB: when charging a computer means connecting to untrusted data-sources

Some of the proposed enhancements to USB 3 would allow it to deliver a whopping 100W of power. There are some pretty great implications for this, including the ability to safely wire and re-wire room lighting and other low-power applications without an electrician's help.

But as O'Reilly's Mike Loukides points out, putting data and power in the same cable also has some intense security implications -- if you can't charge your laptop without connecting it to an untrusted data-source, there's some crazy shenanigan potential.

I've seen USB 2 power-only cables that short out the data-wire, and I wonder if Mike's problem couldn't be solved by just having a power-only USB port on the back of your laptop for charging -- but I also wonder if people would buy such a laptop, or if they'd demand the convenience of being able to use any port for charging or data.

But I have one concern that I haven’t seen addressed in the press. Of course USB cables carry both data and power. So, when you plug your device into a USB distribution system, whether it’s a laptop or phone, you’re plugging it into a network. And there are many cases, most notoriously Stuxnet, of computers being infected with malware through their USB ports. It no doubt took some fairly good social engineering to get an infected USB stick into a computer in an Iranian nuclear facility. But it wouldn’t take any social engineering at all, just a lunch appointment or an interview, to plug an infected drive into the USB power distribution system at some future office complex. You might not even need access to the business you wanted to attack if, as the Economist imagines, power distribution is shared between different buildings in an industrial park.

The most security conscious among us frequently put epoxy in their USB ports. But epoxy won’t work if that port is your only way to charge your laptop. We’re going to need much stricter discipline than epoxy if USB is to become a power distribution standard. More than anything, we will need to be confident that there aren’t any backdoors into our system. A quick Google search is scary indeed, and the NSA is the least of our worries. Can we keep our data, and our systems, safe? History suggests that we can’t.

Power over USB

(Image: The left-hand-side connectors on a Lenovo X220, Yoe/Wikimedia)