Hotel usb charging port safety

Hotel USB ports

  • Safe for charging, go for it.

    Votes: 13 68.4%

  • Could suck private data off unwitting owner’s device.

    Votes: 6 31.6%
  • Total voters
    19
Let'sgoflying!

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,320
Location
west Texas
Display Name
Display name:
Dave Taylor
What was the final conclusion on these?
Any real life reports/examples of nefariousness?IMG_1987.jpeg
 
For $20-$100, just buy your own travel charger and avoid the question altogether.

I never know what power situation a hotel is going to have, so I just pack to ensure I can take care of myself and not rely on anything other than a 120V outlet.
 
I bring my own charger, usually. I'm mostly not worried about the usb data, I'm concerned about the $5 outlet blowing up my computer when the voltage goes wrong. I have not seen that from a hotel port, I have seen it with discount store chargers. They do make data block usb cables and usb charge adapters, but an actual usb charger isn't that much more money, size or weight.
 
I guess that just because one is paranoid doesn’t mean they aren’t out to get one.
 
I have two of those in our guest bedroom. Could someone modify one and take over your phone? Anything is possible.

When I travel, I use my own charger.
 
While I'm aware of the potential, I don't think it's a realistic danger. For stealing such data to be useful they'd have to be doing one of two things: targeting specific individuals(celebrities, billionaires, political officials, etc) or they'd have to be mass collecting data from a large number of people. If the latter, it would have to be large scale and if any chain was doing that someone would find out and blow the whistle on it really quick. If the former, well, hopefully you already know who you are and take precautions. If anyone knows of a real world case of it happening I'd love to hear about it.

Having said all that, I have my own multi-port charger I take with me everywhere. Security worries aside, are you really going to rely on wherever you're staying having a charger for your phone?
 
I would imagine that (reputable) hotels would be fine to use their USB charging. The risk from a cheap USB would have to be unacceptable when you consider the inevitable costs that would result if it caused a fire. Loss of revenue from damaged room, cost to repair the room, and that is before we talk about any lawsuit from occupants. Further, I think if there was a substandard USB used that the insurance company would decline to cover the costs, so it would come back to the company.

For myself, I use wireless chargers, so even if we had a nefarious connection there, their outlet is connect to a wireless charger that then connects to my phone. Not saying it can't be done, because there are some really smart people out there, but I am not aware of anyone able to use a wireless charger to extract data.
 
I bring a charging port, but I'll use ones that exist. The only to "sentient" devices I have warn me if someone tries to transfer data rather than just providing power. I do have other things that they can have fun trying to talk to like my hearing air charger, my noise cancelling headphones, etc.
 
I bring my own and never use the one the hotel provides
 
I read the initial reports of this threat, and then the follow-on reports that say it's way overstated as a risk. I stay in hotel rooms about 8 nights a months, so it's of some interest to me, but I'm not concerned. Here's why:

Think about it - in hotels, these USB ports are usually in either a charging block (like in the OP's picture), or a clock with USB ports, or the lamp base, or built into a desk. To provide the power, this unit is then plugged into the wall. So if the unit is stealing data, it can't be transmitting it along the 120V lines (well, it technically could, but that requires even more complexity). It has to be either saving it internally or transmitting it somewhere. Saving it internally would require somebody going around to retrieve the data, and transmitting it somewhere would require something akin to a built-in cellphone. And, of course, someone on the other end receiving it. So we're talking about significant cost here. Especially since with a hotel room, you never know who is going to be staying in what room, whether they're actually going to use the USB ports, or whether they have any data worth stealing. The chances on any given night getting someone that matches all three conditions are likely very very low - but the cost of the equipment and monitoring is incurred whether or not you get any useful data. And you'd pretty much have to "bug" every room in the hotel. If there was such a large-scale thing going on, it would certainly make the news.

So it's a pretty high cost and low probability of success, which says to me it's not very likely. Far, far easier for the criminals to send out spam emails - also a fairly low probability of success, but virtually zero cost.

I could possibly see this type of USB hacking at a hotel in downtown DC where politicians and international dignitaries and such stay, but those are exactly the kind of people that would (should) be more aware of this kind of thing anyway.

But most importantly to me, in my experience, the USB ports are usually pretty low power for charging a phone or tablet - so I'll use my own for that anyway. I will plug in my earbuds or watch if I need to, I mean if the Russians want my workout history they're welcome to it.
 
You'd have more to worry about using the hotel WIFI which nobody seems to bat an eye over.
 
RussR said:
So if the unit is stealing data, it can't be transmitting it along the 120V lines (well, it technically could, but that requires even more complexity). It has to be either saving it internally or transmitting it somewhere. Saving it internally would require somebody going around to retrieve the data, and transmitting it somewhere would require something akin to a built-in cellphone. And, of course, someone on the other end receiving it. So we're talking about significant cost here.
Click to expand...
Or it could install malware that makes your phone talk directly to a remote host.
 
Lindberg said:
Or it could install malware that makes your phone talk directly to a remote host.
Click to expand...

Oh sure, there are lots of ways it could be done, but my point was it's not very likely given the low probability of success and high implementation cost.
 
RussR said:
Oh sure, there are lots of ways it could be done, but my point was it's not very likely given the low probability of success and high implementation cost.
Click to expand...
The implementation cost is trivial.
 
The greater concern than hotel USB chargers is airport USB chargers. They get massive usage and have been known to be hacked.
 
flyingron said:
You'd have more to worry about using the hotel WIFI which nobody seems to bat an eye over.
Click to expand...
Correct. Which is why I refuse to use most complimentary wifi anywhere. Unlimited data plan for phone & iPad and click the hotspot on if my laptop needs it.
 
RussR said:
Saving it internally would require somebody going around to retrieve the data, and transmitting it somewhere would require something akin to a built-in cellphone. And, of course, someone on the other end receiving it. So we're talking about significant cost here.
Click to expand...
A wifi chip with antenna is about the size of your pinky nail and costs about a quarter. Collecting the data would be trivial.

that’s not to suggest that I’m concerned about this attack vector. They are getting more data than they can deal with already without doing this.
 
Salty said:
A wifi chip with antenna is about the size of your pinky nail and costs about a quarter. Collecting the data would be trivial.

that’s not to suggest that I’m concerned about this attack vector. They are getting more data than they can deal with already without doing this.
Click to expand...

I think that's my point though. 25 cents might be cheap, but it's thousands (millions?) of times more expensive than email or text spam. And for that you don't even have to leave your spam headquarters. To do the USB port trick takes some labor away from home at some point in the process. It's comparatively very inefficient.
 
ElPaso Pilot said:
Looks like outside of an old Defcon demo, “there are no documented cases of juice jacking ever taking place in the wild.”

That said, if staying in certain hotels in Russia or China, I might still use my own charger.

https://arstechnica.com/information...ic-charging-stations-needs-to-stop-heres-why/
Click to expand...

My employer before I retired specified that only burner phones and laptops could be taken into China. Well, not so much 'burner' as dedicated hardware devoid of data or much of anything useful. My division didn't interact with Russia, so I don't know if the policy would have been the same.
 
GaryM said:
My employer before I retired specified that only burner phones and laptops could be taken into China. Well, not so much 'burner' as dedicated hardware devoid of data or much of anything useful. My division didn't interact with Russia, so I don't know if the policy would have been the same.
Click to expand...
We have encrypted drives. I leave most of my work on the network drives anyway because it is backed-up daily. The Chinese won't learn much from me that they can't get from journals anyway.
 
Trying to discern if something is likely by how cost effective the technique is isn't a valid method, for three reasons. First, because some of the people playing in this space have really high budgets and don't care. Second, and probably more relevant, because bad people are often really terrible at math. It's not unusual for people to spend 10x+ what they will bring in, because they're not bright. Finally, the costs involved can sometimes be way lower than you'd think. For a USB attack, I'd expect a USB auto install driver or auto-run vulnerability would be the easiest way in, especially against a Windows computer.

As far as overseas travel, the primary risk we see is that you almost always have to hand the device to customs for inspection on the way in, sometimes demonstrating it runs. So the expectation should be that software will be installed on the device at that point to compromise the data. And for some countries, China included, anything you do remotely while in that country is going to be captured. Not might, but will be, regardless of the security that you might have in place. This extends to "secure portals" run by US companies in that country. Some maintain data centers inside that country for access while in the country, which comply with Chinese law. That means monitoring is conducted. My current job, and it's not all that high security, I can't take an issued device outside of CONUS.

Wifi access? I mostly use my phone's hotspot. If I'm at an FBO or other place with wifi with PSK I'll use that. I generally - almost never - use the captive portals. Hate them. For my personal devices I don't use a VPN. The only point I see of a commercial VPN is getting content that is blocked in your current area, and I don't do that.
 
GaryM said:
My employer before I retired specified that only burner phones and laptops could be taken into China. Well, not so much 'burner' as dedicated hardware devoid of data or much of anything useful. My division didn't interact with Russia, so I don't know if the policy would have been the same.
Click to expand...
When going out to dinner in China, I would leave a stray thread or piece of lint on top of my laptop in the hotel room safe, only to see it under my laptop when I returned.

Enough said.
 
Albany Tom said:
Trying to discern if something is likely by how cost effective the technique is isn't a valid method, for three reasons. First, because some of the people playing in this space have really high budgets and don't care. Second, and probably more relevant, because bad people are often really terrible at math. It's not unusual for people to spend 10x+ what they will bring in, because they're not bright. Finally, the costs involved can sometimes be way lower than you'd think. For a USB attack, I'd expect a USB auto install driver or auto-run vulnerability would be the easiest way in, especially against a Windows computer.

As far as overseas travel, the primary risk we see is that you almost always have to hand the device to customs for inspection on the way in, sometimes demonstrating it runs. So the expectation should be that software will be installed on the device at that point to compromise the data. And for some countries, China included, anything you do remotely while in that country is going to be captured. Not might, but will be, regardless of the security that you might have in place. This extends to "secure portals" run by US companies in that country. Some maintain data centers inside that country for access while in the country, which comply with Chinese law. That means monitoring is conducted. My current job, and it's not all that high security, I can't take an issued device outside of CONUS.

Wifi access? I mostly use my phone's hotspot. If I'm at an FBO or other place with wifi with PSK I'll use that. I generally - almost never - use the captive portals. Hate them. For my personal devices I don't use a VPN. The only point I see of a commercial VPN is getting content that is blocked in your current area, and I don't do that.
Click to expand...

Not to disagree, but I doubt much of that applies when staying at a Motel 6 in the middle of nowhere...
 
2-Bit Speed said:
Not to disagree, but I doubt much of that applies when staying at a Motel 6 in the middle of nowhere...
Click to expand...

:) I agree with that! With the minor caveat that malicious people are roughly randomly distributed in the environment, or at least that's been my experience.
 
ElPaso Pilot said:
When going out to dinner in China, I would leave a stray thread or piece of lint on top of my laptop in the hotel room safe, only to see it under my laptop when I returned.
Click to expand...

I think you have to affix a telltale to an object, otherwise the air currents produced by opening the safe door could easily swirl it around, even putting it underneath the laptop.
At least, that's what I learned in spy school. Which I attended with Bond.
 
ElPaso Pilot said:
When going out to dinner in China, I would leave a stray thread or piece of lint on top of my laptop in the hotel room safe, only to see it under my laptop when I returned.

Enough said.
Click to expand...

and the well-trained agents will look for telltales before moving things...
 
flyingron said:
You'd have more to worry about using the hotel WIFI which nobody seems to bat an eye over.
Click to expand...
You can get around those problems if you pick up one of the Travel Routers. These are fairly inexpensive but permits you to hide behind your own router with your one SSID and password with the option of connecting your laptop to that with Ethernet. I picked up one from Amazon and love it.
 
kshaw said:
You can get around those problems if you pick up one of the Travel Routers. These are fairly inexpensive but permits you to hide behind your own router with your one SSID and password with the option of connecting your laptop to that with Ethernet. I picked up one from Amazon and love it.
Click to expand...

somehow I can't shake the thought that those Travel Routers are made in

wait for it


wait for it


wait for it



China
 
Stealing data is highly unlikely with modern mobile OSes that are much more wary of random USB connections than the early days. That threat model requires a sophisticated attacker to pull off.

I rarely use public USB chargers simply because they are often providing crap DC 5V power which can mess with the digitizer and is not as good for the battery as a high quality power brick.
 
AKiss20 said:
Stealing data is highly unlikely with modern mobile OSes that are much more wary of random USB connections than the early days. That threat model requires a sophisticated attacker to pull off.

I rarely use public USB chargers simply because they are often providing crap DC 5V power which can mess with the digitizer and is not as good for the battery as a high quality power brick.
Click to expand...

the better the OS security, the more the attacks focus on IO*

*IO - incompetent operator
 
I like to carry my own chargers, works when you’re waiting out weather at an FBO. Some hotels don’t have enough plugs for all my portable devices.
 
I never worried about it much domestically. But international? Defintely paid attention and did not plug into USB ports. I have a couple of "power only" cables as well. But I worked in defense contracting and we were frequently targeted overseas. Cost is not an object nor a detriment in that environment.
 
You must log in or register to reply here.
Back
Top