USB Charging Actually Poses Security Risks – Hacking a Laptop via a USB-C Adapter

Smartphones have been charged over USB for many years, but with the advance of USB type-C now even laptops may be charged over USB, instead of the typical DC power barrel jack.

Why am I writing about that? That’s because charging over a DC jack is normally safe, but after reading an article on BBC website, I’ve just realized when you charge over USB you also give access to the data connection, and security researcher (MG) has found a way to hack the USB-C charger of an Apple laptop and show a login prompt to steal credentials (username / password).

Hacked USB Charger

The full details of the hack are no public, but it does require altering the hardware of the charger. So as long as you use the charger sold with your laptop, you should be safe. However, there’s always a risk if you charge from public places, or buy  a charger from a third party. It’s a limited risk, but still worth keeping in mind. You can see the hack in action below.

As mentioned in the video and tweet, it works not only with Apple hardware but any laptop charging over USB-C. This type of hack is not really new, as “Juice-Jacking” – hacking phones over the USB connection at public charging sport – has been possible for several years, but in my case at least, data stored on my computer(s) is much valuable than the data stored on my phone.  One obvious counter action is to not use your device while charging it in a public place or with a third party charger, but in case the hack can be made to work without user action, a trick is to power off your phone / laptop before charging it, then the data is not exposed on certain devices, i.e. not all. So it’s a good idea to be aware that public USB charging may not be fully secure, and whenever possible, use your own cable and charger.

Thanks to Theguyuk for the tip.

Share this:

Support CNX Software! Donate via cryptocurrencies or become a Patron on Patreon

14 Replies to “USB Charging Actually Poses Security Risks – Hacking a Laptop via a USB-C Adapter”

  1. I’ve not seen Apple use any USB c. Not common, is it?

    I’ve not seen any laptop scale device pulled up by USB, either.

    1. All new models of Apple laptops use USB Type-C / Thunderbolt 3 ports for charging/power. The MacBook has had a USB Type-C since it was introduced, as have both the 13″ and 15″ MacBook Pro Retinas with Touch bar. These devices only come with USB Type-C (usually TB3 too) and 3.5mm jack interfaces – nothing else. (My MBP 15″ with Touch bar has 4 Thunderbolt 3 ports (over USB Type-C) and a 3.5mm headphone/mic connector. Nothing else.

      The older MacBook Air and 13″ MacBook Pro Retina without Touch Bar designs still use Magsafe I think – but they are legacy designs that just get hardware bumps.

  2. It seems that mankind is doomed to repeat the same dumb mistakes over and over again.
    Most phone manufacturers learned the lesson, and deactivate data transfer over USB by default, but it seems that notebook manufacturers didn’t get the memo.

  3. I wouldn’t use any low quality/non-original Type C charger with my Dell XPS anyway for the fear of damaging it, as those chargers need somewhat complex and high quality circuits. However it’s interesting to see how having an unique port for charging, video, networking etc. can turn into a threat if it’s trusted by default. The fact that, for example, the base Macbook model has only one Type C port and needs a hub to be charged while anything else is connected makes it tricky, for example, to forbid anything that’s charging the device from acting as a USB device. Having to authorize access every time a dongle is inserted doesn’t sound great either.

  4. I wondered how long it would take, apparently not that much 🙂

    With plug-and-play OSes it’s really funny, you can present a USB-to-ethernet adapter into a USB connector, and sometimes the OS will even make a DHCP request there and present an IP address. You can sometimes expose a graphics interface, which, depending on how the machine was recently configured, may expose a copy of the current display. You can present a serial port that some OSes will detect and present you a login prompt. You can also present a second keyboard and mouse to inject keystrokes. It can also be a USB storage device hoping for the user to confuse it with another one and put his data there by accident. USB is limitless and it’s a shame we’re training people to plug it without thinking.

    1. Yeah, I was very interested in the idea of a USB-Video interface (digging produced this: https://github.com/kopasiak/f_dl_ffs), and HID combination for hacking connected devices.
      One problem with adding a video interface is that you don’t necessarily get to choose how that interface is used by the host OS. It might be mirrored by default, or you may end up with a second desktop. In the latter case, the windows that were on the original desktop may get moved to the new display, or they may not.
      A couple of other possibilities for attack via USB devices:
      Some OS’s drivers create the device node based on the serial number, which is just a string. It would be interesting to explore whether the quoting rules are well implemented.
      Also, it is possible for Windows OS’s to create a plain text printer driver if a particular descriptor is presented. That, in combination with a HID interface, could be used to transfer data back and forth across the USB.

  5. I still didn’t fully understand what is the benefit of USB charging for laptops and I mostly see downsides : not only regarding security, but it adds cost since it requires a complex circuitry for handling various voltages, and even cables now have to be authenticated, and this usb-c connector is far less robust ans future-proof than legacy round DC connectors or magsafe… (Or maybe that’s the purpose : having a weak connector that forces you to dispose and buy a new laptop every ~2 years ?)

    1. It’s just a bit more convenient. When you are back home you can connect the laptop using a single USB cable to access an external monitor, USB mass storage, maybe Ethernet, etc…

      1. They could have used a two-part connector. Like micro-USB3 which has the USB2 and the USB3-specific parts apart. Or like SATA which splits power and data. Then it would have been possible to connect power exclusively and have the ability to visually verify that the data lines are not used. At home you’d have your full-length connector for your dock. BTW, I wouldn’t be surprised if in a few months we start to see some USB-C to USB-C adapters which simply short or cut the data lines to protect your laptop against rogue PSUs 🙂

        1. As I posted down below, as far as I know you can run USB-PD with just 3 pins, ground, vbus and cc for the actual communication. I’d love to see someone try this with a breadboard and a couple of breakout USB-C connectors. Heck maybe I’ll do it, it wouldn’t be hard.

    2. Unification is a good reason to charge over USB. Remember how awful it was when every phone came with its own specific charging plug that in some cases was unique to the model let alone the brand? I got a high end PDA that included adapters for nokia barrel jacks (but only those of a specific voltage) which is ridiculous. When we standardised on micro-usb life was good.

      Laptops are in much the same state, everybody has their own barrel jack that isn’t compatible with anything else. they’re mostly on 19 or 20V but even that isn’t guaranteed. Some check their chargers for legitimacy so for instance you can’t charge a dell with a non-official charger. Awful.

      With USB-C the same charger can charge just about anything so long as the wattage rating is high enough, super simple.

      1. Isn’t there a way for USB-PD to be set up so it can communicate with other devices for negotiating charging purposes without enabling data lines? Much line a dumb charger you plug in a wall that gives you a USB port for charging, they could do something similar with a small ‘brain box’ to handle charging. Using a separate connection to the battery so the device can monitor the battery and give status updates to the OS would give some separation between the port and data storage.

        I had read recently about the possibility of hacking data from machines by measuring the amount of power they use and fluctuations, so it wouldn’t be foolproof security. Also, anyone could buy or steal an official charger, add a little board in, and swap it with your ‘original’ charger leaving you none the wiser.

        As far as the proprietary chargers like Dell, I did a lot of reading about very complicated methods to try and bypass or replicate the system used on these power bricks. Then it dawned on me, they can’t possibly run off of AC, so they must be fed power from the power supply after it is converted to DC. I bought a generic car charger and fed 19VDC from that into the wire between the power brick and the laptop, powering both. My Dell laptop recognizes the official power brick, but I can feed it solar power with the car charger. On rare occasion it will complain that the charger is incompatible if I have it charging while booting, with either solar or the original AC being used, but it did that before the modification. I’ve used it for 2 years this way with no problems so far.

        1. As far as I know, yes you can disconnect the data pins and still have negotiation happen. Negotiation happens on the CC pin while data is transmitted on UTP_Dp and UTP_Dn, at least on USB 2.0 cable with only 6 pins connected.

          As for the dell situation, maybe it’s model specific? My Dell XPS 9350 when hooked up to an old universal power brick thing I had kept warning me that it wasn’t an official charger and that it wouldn’t charge the battery off that device. It powered itself though, the battery level didn’t drop, it just didn’t rise either. No such problems with the original charger or an official one intended for a different model. No such problems with my non-official USB PD chargers either. In case you’re thinking wattage, the original was 45W, the non-official was 90W and the PD one that works is 30W so I don’t think there’s a pattern to it.

Leave a Reply

Your email address will not be published. Required fields are marked *