It seems to be the case according to an article published on HackRead about a giant leak that exposed state-backed cyber weapons and gave experts a rare look into China’s government-backed hacking tools and operations.
Reminds me of the Shadow Brokers’s hack back in 2016, where Equation Group’s most precious jewels (EternalBlue, EternalRomance, etc…) were stolen and subsequently released on the dark web…which led to the most damaging ever WannaCry and NotPetya global disasters.
Anyway, the above article specified that:
It is worth noting that the documents even mention a seemingly harmless, malicious power bank designed to secretly upload data from a victim’s device while pretending to charge it.
So, beware of your ‘made in China’ powerbank looking like such an innocuous accessory - but in fact sneakily exfiltrating your secrets for the PRC to get to know you better!
Hardware supply chain problems like this becoming a real threat difficult to detect, it could be a good opportunity for Purism’s engineers to develop and market a ‘made in USA’ powerbank, just to be on the safe side.
The article does not tell how the devices could achieve this. Can someone explain how such an attack could be achieved on L5? Without knowing the attack vector we cannot think about ways to get back the control. There is no easy way as just buying another device that protects us, especially if we cannot trust that additional device.
I always kind of wondered if there was a motive when forum posters say, “battery swapping L5 is wrong, you are meant to use a power bank,” and maybe now I know what that motive is.
I haven’t looked at any of the underlying information for the article, so the following is speculation, but this could easily just be an extension of the “bad USB” attack.
The point is that by default any time you connect some random hardware via USB to a host computer, something will happen on the host computer to interrogate what device type it is (specified by vendor id and product id - but these can easily be forged) and what interfaces (functions) it can offer.
A typical “bad USB” attack device offers a keyboard interface so that it can inject keystrokes into the host computer and may offer a network interface so that it can hijack network traffic / introduce network traffic.
This is a fundamental problem that is introduced by charging via USB. The USB specification combines two purposes (power/charging and peripherals) into one - making them inextricably connected. You can’t have power/charging without peripherals (but the purpose of a USB Data Blocker is to ensure that no peripherals are presented to the host computer).
This can be countered (somewhat?) by technology like USBGuard on the host computer.
On top of that, a truly malicious piece of hardware can obviously contain whatever else it likes e.g. hypothetically a cellular modem for exfiltration that is completely independent of the host computer or a WiFi client for exfiltration via the local network.
Early versions of BadUSB were made to look like USB flash drives but that then limits the amount of physical space that is available for malicious hardware. A powerbank overcomes that since a powerbank is much bigger and much heavier than a USB flash drive. The powerbank could contain an entire general purpose computer and you wouldn’t know it unless you opened it up.
Or an opportunity to develop a trusted USB Data Blocker?
Sounds very much like we need some software on host computer that asks for permission per device.
Is allowed to charge? - yes
Is allowed to charge and get data access? - no → only allow charging
Okay, currently reading USBGuard and looks like it is doing that. I will read a bit further, thanks.
I know the cables, adapters and hubs topics, but they’re something completely different. If you plugin a cable between PC and phone or another device, you probably want to share data and so there is no real question like “how is it possible to get access to data”. But a device that should just be able to handle energy should not have any access to data.
So while I never had the question about cables etc, I had it to powerbanks. And of course, what applies to powerbank also applies to the other devices, but I never thought this way previously.
I mean it in the same way OpenSnitch does for outgoing internet traffic. In this case the software should just give user the control about USB-devices.
Remember that it all started with USB 1.0. Your typical USB 1.0 peripheral would be keyboard and/or mouse. It is obvious that both of these peripherals require power in order to operate. That gives three basic power options for the peripheral: 1. battery 2. separate external power 3. bus-powered. The USB spec at least gave the peripherals the choice of being bus-powered, which was definitely the most convenient choice for everyone.
From there it has become more and more complex, with the available power increasing, the protocols for power negotiation multiplying, the complexity of the power negotiation increasing, and USB power also sometimes being used solely for power, including but not limited to charging (rather than power + data by intention).
So, yes, they certainly did know that when they wrote the spec, and it was intentional but my opinion is that this was neither malicious nor some kind of secret conspiracy. However if the authors of the specification had anticipated from Day 1 how this might be used maliciously then perhaps there would have been stronger controls from Day 1.
Very likely. Remember, a lot of security issues are introduced this way. E-mail, HTTP (non S), DNS, …
It is just hard to fix later, when compatibility is a key feature.
Isn’t USB-C charging support a requirement in the EU?
Maybe a malicious powerbank for wireless charging could still be a spying device i.e. picking up RF emissions from the hardware that is in close proximity, both deliberate emissions (WiFi, cellular, Bluetooth) and fugitive emissions. I wouldn’t absolutely rule out data transfer.
Indeed! I can confirm. Apple was absolutely furious about this regulation (because of their cute patented magnetic connector), but they had to comply if they want to continue selling in EU.
The purpose of this regulation was to make a unified and mandatory standard for charging devices’ connectors, so they would all be compatible with any equipment. Over and done with the dozens of chargers, cables mess, adapters…!
