With USB-C, even plugging in can set you up to be hacked
Connecting state and local government leaders
USB-C chargers can allow criminals to attack the computer of an unsuspecting user who is just trying to power up the device’s battery.
This article was first posted on The Conversation.
Plugging in the power -- or at least what you think is power -- to a USB-C powered laptop can connect your computer, and the valuable personal data on it, directly to hackers. Your personal financial information, passwords and documents stored on the laptop could help a cybercriminal steal your identity. The laptop may even be used to attack your employer’s computers and network.
The European Union is already moving to require all smartphones be compatible with USB-C power adapters – itself a move that endangers users’ privacy. If the EU made a similar standard for laptop computers, it would threaten to make the problem worse, by increasing the number of people vulnerable to what is basically the digital equivalent of pick-pocketing.
From mobile phones to laptops
Mobile phones have been hackers’ targets for years. Phones that are left behind or stolen can contain sensitive personal data that can let a criminal open a new bank account or take out a loan.
However, a far more insidious way to get the data is to simply connect to the phone and steal everything it holds. As the phone is not lost, the user may be unaware that anything is wrong. Attackers try to get access to mobile phones via their internet connections and local wireless connection technologies like Bluetooth and Wi-Fi.
But some attackers are finding a weakness in phone charging. Many newer phones use the same port – one of several types of USB – for both connecting to a computer and charging. A charger could be modified to attack your phone via that trusted connection. This has led some researchers to recommend never using public USB chargers for your smartphone.
Older mobile phones, including some smartphones, that used power-only connections didn’t have to worry about this issue. Users of these devices can plug in to public multi-device charging stations without worry, as there is no connection to the device’s data. For those with combined data and power ports, however, the same port that many people only use to power their phone is commonly used by hackers and even law enforcement to access the data on it.
Laptops can now be attacked by USB power ports
Until recently, laptop computers had enjoyed some protection, with most having a dedicated power port to connect their chargers to. Other purpose-specific ports allowed connections to desktop monitors, conference room projectors and other devices, without need for concern. USB-C changed this, with one high-speed port now able to provide and receive power, send video signals to projectors and monitors, and connect to USB thumb drives and numerous other peripheral devices.
Most of the time, this is extremely convenient, reducing the number of different ports needed on today’s lightweight and compact laptops. However, it also allows criminals to attack the computer of an unsuspecting user who is just trying to charge the device’s battery.
With the European Union potentially requiring phone makers to standardize on USB-C chargers to reduce waste and provide consumer flexibility, similar rules for laptops may not be far behind. In any case, people with laptops powered by USB-C and those who connect to USB-C screens and projectors in public areas need to be vigilant.
Compared to a mobile phone, laptops may contain far more data. Some laptop users may not have these files backed up to other locations, which makes them vulnerable to deletion or even encryption for a ransom payment. Hacked laptops can also serve as a method to get viruses and other malware into sensitive business or government facilities, bypassing firewalls, intrusion detection systems and other network security mechanisms. In short, they may be much more attractive targets to hackers.
Prevent problems by not plugging in
As someone who researches and teaches courses related to cybersecurity, I follow numerous reports of scam websites, all manner of fraudulent callers and electronically distributed viruses – all trying to steal personal information.
Criminals run these scams from the other side of the world, making them hard to track down and bring to justice. While there is little you can do to prevent your data from being released by large-scale hacks of personal data like the Equifax breach, you can reduce your risk of power-connection hacking.
USB-C laptop users should not plug in to airport, hotel or other public USB ports without protection. Charge-only adapters, portable USB batteries and cables that can shield the data connection are possible solutions. At present, in most cases, it is best to just plug the laptop’s power supply into a normal wall power outlet; many public USB ports, which follow the older USB-A standard, don’t yet provide enough power to run and charge a laptop anyway.
When connecting to other devices, check for signs of tampering, such as missing screws, scuffing and other wear – particularly around screw holes and edges. When projecting for others, use your own USB-C to VGA or HDMI converter and connecting to these ports.
Over time, the computer industry may be able to create tamper-evident USB devices and other ways of protecting USB users, like ATM manufacturers have tried to do. Until then, USB-C users need to protect themselves by not connecting to public, insecure and other potentially compromised or suspicious USB ports. Information technology managers face a tougher battle and may try to avoid USB-C powered devices or train users to use them safely.