The USB port, if left unsecured, provides an easy path to bypass the plugged device’s security. In this second article of a two-part series on USB safety, cybersecurity expert Ben Finn explains for Reporters Without Borders (RSF) that public USB charging ports cannot be trusted, but data blocking tools exist to prevent unwanted data transfer.
Journalists who travel for work will often find themselves in search of a place to charge their phone or laptop. Public places like airports, cafes, buses, hotels, and office buildings often have USB charging points for this very purpose, but journalists should be wary that this may not be a safe thing to do.
A USB port is a standard cable connection interface for computers and other electronic devices. It can be used to both charge a device and transfer data, which inherently presents security vulnerabilities discussed in Part 1 of this series. By default, most devices allow both features at the same time.
These two-way features are the basic requirement needed for a form of cyber attack known as “juice jacking,” where a seemingly innocuous USB charging point transfers data without the user knowing, delivering malware or stealing sensitive data from devices that are plugged into it. When connecting to a USB charging port, even changing a device’s settings to “charge only” may not always be enough to prevent sophisticated “juice jacking” attacks. Besides, “juice jacking” attacks can also work though portable power banks.
Therefore, under no circumstances can public USB ports, communal connection cables or in fact any public port be trusted. Even if they were installed by a venue for the good of the people invited, they could be compromised by malicious actors with malware uploaded at any time. So, if possible, journalists are recommended to never plug any unknown tool into their devices, and if that is not an option, to always use a data blocker, a.k.a “USB condom.”
“USB condom” against data transfer
The best protection against unwanted data transfer through USB connections is a data blocker, nicknamed “USB condom” due to its physical protective nature: it is a small, inexpensive device which is placed on the end of the USB cable, and which physically blocks the parts of the USB port that transmit data.
RSF recommends journalists have a “USB condom,” purchased from a reputable source, to use in all untrusted locations. Depending on the level of security required, they should even be used in trusted locations. Portapow, Plugable or DataBlocker Pro are some reliable brands that offer this tool.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal enterprise tools across large enterprises, including cybersecurity focused efforts. He has been engaged in training on proper security in the context of an oppressive nation-state, specifically in Myanmar. He has also been working with multiple groups in Taiwan to train them on proper security and safety measures.