Smartphones have been charged over USB for many years, but with the advance of USB type-C now even laptops may be charged over USB, instead of the typical DC power barrel jack.
Why am I writing about that? That’s because charging over a DC jack is normally safe, but after reading an article on BBC website, I’ve just realized when you charge over USB you also give access to the data connection, and security researcher (MG) has found a way to hack the USB-C charger of an Apple laptop and show a login prompt to steal credentials (username / password).
The full details of the hack are no public, but it does require altering the hardware of the charger. So as long as you use the charger sold with your laptop, you should be safe. However, there’s always a risk if you charge from public places, or buy a charger from a third party. It’s a limited risk, but still worth keeping in mind. You can see the hack in action below.
Demo of a work in progress. I’m looking for help with writing payloads. Come chat with me at @defcon if you’d like to collaborate.
Power adapter. Silent infection. Cross platform. Not just Apple hardware.
— MG (@_MG_) August 3, 2018
As mentioned in the video and tweet, it works not only with Apple hardware but any laptop charging over USB-C. This type of hack is not really new, as “Juice-Jacking” – hacking phones over the USB connection at public charging sport – has been possible for several years, but in my case at least, data stored on my computer(s) is much valuable than the data stored on my phone. One obvious counter action is to not use your device while charging it in a public place or with a third party charger, but in case the hack can be made to work without user action, a trick is to power off your phone / laptop before charging it, then the data is not exposed on certain devices, i.e. not all. So it’s a good idea to be aware that public USB charging may not be fully secure, and whenever possible, use your own cable and charger.
Thanks to Theguyuk for the tip.