Chap unrolls 'USB condom' to protect against viruses A US-based chap has invented a gadget he's calling a USB condom. The prophylactic dongle is advanced as protection for the largely hypothetical problem of malware injection from fake USB chargers. Such polluted ports come in two varieties. The first got an airing at Black Hat, where researchers demonstrated a USB charger that …
I'd claim prior art on that one, it's trivial and I thought of it some time ago. However, full marks to him for making it into a product, although I do wonder how many he'll sell.
The downside is that if used with a proper USB-compliant device, it will only charge at 100mA and not negotiate 500mA (because it can't). If you want to use it with an unknown dedicated charger then it may be even worse because it will behave the same and not take advantage of the 1A typical available from the charger.
I'm surprised S4qFBxkFFg didn't get many upvotes.... If you really want to have safe clever charging, you need a controller in between that negotiates on both sides what power they want to pass, hence the complexity of this device.
All that your cheap (DX) charging cable will do is either cause 100mA charging, or overload the USB port by making the device draw (for example) 2A from a PC port because he thinks it's a dumb charger.
So clever indeed and NO prior art.... If I had a vulnerable smartphone and travel a lot, I'd get one....
Many of my cheap and cheerful gadgets came with recharging cables where the USB cable was so thin (obviously too thin to contain four wires) that it caused me to investigate. I confirmed that they were 2-wire cables. So, prior art on the hardware concept.
Marketing it in this manner is apparently clever and new, He should patent the 'Business Method', not the hardware.
Downside is removing the data cables also removes the handshaking that allows higher current. I suspect that the cable will limit charging current to 500mA (?).
Anyone else notice that in Asia they provide public 'Charging Stations' in airports, ferry terminals and almost anywhere. Meanwhile in some parts of the Americas, if you plug into a wall outlet at the airport, you'll be instantly tasered half to death and dragged off to serve 20-years.
"Anyone else notice that in Asia they provide public 'Charging Stations' in airports, ferry terminals and almost anywhere. Meanwhile in some parts of the Americas, if you plug into a wall outlet at the airport, you'll be instantly tasered half to death and dragged off to serve 20-years."
Airlines are catiching on to the idea of charging stations. Depending on the airport, you can find them for your favorite airline free of charge (DTW, for example, has plenty of them at Delta gates). As for doing this more generally, I've given it a thought. Could make for an interesting startup opportunity.
I think they did. My Bluetooth GPS dongle came with just such a cable, and you can find similar cables all over on eBay. Makes me think that it just never occurred to the manufacturers of these cables that there is a possible mass market for it!
Also, older USB controllers has this stupid requirement that requires the device to establish communication before it would provide more juice to the port. That too may have played a part in this conundrum (USB ports won't produce enough juice unless negotiation and registration has taken place, no market for such cables until 5v chargers with a USB head became common, and even then the device makers figured they could save a few cents by providing one regular USB cable for both charging and data (in other words, being a tightwad).
Also, older USB controllers has this stupid requirement that requires the device to establish communication before it would provide more juice to the port.
Not stupid at all. If you have a USB hub plugged into your PC USB port, do you really want 3-4 devices all deciding to draw 1-2 Amps each, or to have the voltage fall to 3-4v due to current limiting so that devices start to see errors? The intent of the negotiation is that a device can take 100mA without asking, but should negotiate if it wants more. The host device can then restrict the total to avoid overload.
All the "just snip the data wires" ideas will either leave you with 100mA max (for a well-designed host) or the risk of a burnt-out PSU (for a badly-designed one).
> Also, older USB controllers has this stupid requirement that requires the device to establish communication before it would provide more juice to the port.
I got around this, when using a dumb USB car charger, by plugging a pound-shop USB hub into the charger, then connecting the device into that.
I have bought about two years ago several of these kind of cables from mail order Chinese companies, costing less than 2US$ each postage paid. The type of cables which have data connections are slightly more expensive. Now they had several versions available, some have a standard USB plug and up to 10 charging connectors for the most popular type of phones, for 2.20$ including shipping One of the companies is dx dot com. So I do not understand why this is such a big invention.
Fast chargers signal their presence by tying the data lines *to each other*, not power. Tying the data lines to the power would produce amusing results. (Well... amusing to a bystander, anyway. Maybe not so amusing to the owner of the device.)
On the other hand, a USB cable with the power lines connected but the data lines open (not connected to anything) will usually result in the device not charging at all.
A friend of mine recently bought a cheap USB cable from eBay. He told me that when he first plugged it in (cable only, no device attached to the cable), his PC popped-up an "installing driver" message. He immediately unplugged the cable, threw it away and ran several anti-virus scanners on his PC.
This got me thinking - considering how SMALL they make USB memory sticks these days, it would not surprise me to find that some entrepreneurial b*stards managed to add a small memory chip to the PC end of a USB cable (under the plastic plug cover) and loaded it with malware.
Comments?
Ah, the joys of Windows' autorun? First thing (well, almost) you should do is this:
http://support.microsoft.com/kb/967715
And just go for the 0xFF hack to disable EVERYTHING that could autorun.
Still, if the cable identifies itself as something known (e.g. a mouse) then Windows will still install a driver for it without asking for your consent, and it is conceivable that a USB keyboard-like device could be used to inject commands to a system at some point. That sort of attack would also work on Linux, etc, but the attacker would have to know what system it was to successively inject badness.
Beware expensive ones as well .... there was an item a month or two back that revealed that the reassuringly expensive Apple Lightning cable contains firmware. Think in this case the "datat injection" is probably in the other direction so that new releases of iOS can update the cable with new firmware so that cheap knock-offs that fail to update properly can be refused service .... maybe someone will have to come up with IVF kits for those cables!
I'm not sure about this - wasn't the Apple cable doing a format conversion to get the data out? I seem to recall that some kind of limitation somewhere meant that the data out wasn't full resolution because of bandwidth limitation in the protocol converter in the dongle. Whatever the excuse, it looked like the apple was a bit less shiny than usual on that occasion.
you mean like these have integrated hardware in the plug?
http://www.ebay.co.uk/itm/USB-to-TTL-Serial-Cable-FTDI-chipset-UK-Designed-UK-Seller-/290973782133?pt=UK_Computing_Parallel_Serial_PS_2&hash=item43bf639075
nice pic has a clear plug so you can see the serial port uart hardware in the usb plug, and i have come across some vender specific cables where they have the driver/dongle embedded in the cable
Sorry, I can't let you do that DA--
SNIP/TEAR
OUCH! That HURTS.
RIP/CRIMP
That is NON-CONDOMNABLE
END JOY
Ahh, Dave, that is a vahzzzz deferenzzz -- My ports no longer come in two varieties... They EGGZIST in two varieties...
RIP/TEAR/CRIMP
OH, DAVE, YOUR LOVE IS A MANY-SPLINTERED THING..
ONE is the loneliest number that-chul ever...
OH DAVE, ONE SIZE REALLY DOES FITTALL
Depends on your international travelling.
There's a ridiculous array of different sockets at 100, 110, 220 or 240 volts, with different numbers of pins and so forth. 'Universal' plugs cover about 180 out of 200 countries... So if airports can standardize to the One True Port (USB at 5V DC) then that's a win.
My "traveling" universal wall-wart can handle your 90% (maybe more, I've never run across an airport where it doesn't work, anyway). It has adapters to match, naturally.
Question: How many times a year are you in the other ~10%, pray tell?
Don't have one? Metacrawl it. Useful. Recommended[1].
[1] Ta, Jerry :-)
Not really a new idea, I've made one myself by taking some wire-cutters to an existing USB cable.
Although infected wall-warts might not be a large scale problem, a some employers don't like staff charging their smart phones from the USB sockets of company PCs, in case any confidential data ends up on the phone. A condom cable addresses that.
I was deeply disappointed to learn this. The idea of an AS/400 that had a mains plug on one side and a USB socket on the other (and nothing else) is rather attractive in a weird kind of way.
In a cold winter at one company, once, we used a rack full of old PDP-11s as a large fan heater for the laboratory. People passing the window would be confronted with a huge array of red LEDs and wonder what on earth we were doing. But we were just getting the temperature up to 20C without trying to persuade Facilities that we needed more heating.
Those who are saying this device fakes negotiation to grab power are (probably) wrong.
I'd bet it just shorts the two data lines together so the device thinks its plugged into a dumb wall charger and draws the full whack.
I could even claim prior art on this one myself - I modified my n900's USB cable to include a simple switch between the two data lines to short them. Now I can plug it into a PC to charge at full speed (albeit completely flaunting the USB spec), with the added advantage that this also prevents the data lines from being used if I plug the cable into anything untrusted.
This would be useful for me at work. We have encryption on our machines that will automatically encrypt any drive plugged into the USB ports. Hence I can't charge my iPhone from USB as the internal disk would get encrypted and unusable, a few people have had phones bricked from doing this. This would save me having to carry my mains charger with me!
The problem I see with the design is that it isn't USB A male to USB A female, so it isn't a simple in-line job. It looks like it is USB A male to USB mini female, which means one needs a USB mini male to USB mini male cable - which is pretty non-standard.
This http://lockedusb.com/ on the other hand looks quite good. It is truly in-line, it does some stuff to make the connected device charge properly (courtesy of the Texas Instruments TPS2511), although this may cause it to suck too much juice from the host port.
If it were me I would have designed a board with a small USB capable microcontroller that could have negotiated a higher amperage from the supply than 100ma,. and acted as a go-between the port and the smartphone thereby protecting from malware infection but still charging a smart device the other side.
It would have to be a very specialised piece of malware to infect a microcontroller USB stack and wouldn't get them very far if they went to the effort.
This post has been deleted by its author
Simply cutting the data lines is insufficient, as they are used by charging ports to tell the device that higher power is available, by putting a DC voltage on the data lines (see http://en.wikipedia.org/wiki/USB#Charging_ports_and_accessory_charging_adapters ). It's not clear if the USB Condom handles this correctly.
There's a project on kickstarter right now called "Locked USB" ( http://www.kickstarter.com/projects/1137339450/lockedusb-adapter-usb-charger-firewall-and-power-o ), with a few days left to go, which does the same thing, essentially, and claims to allow high current / fast charging to work correctly.
It's sort of insane how phones assume that any USB cable plugged into them is trustworthy for connecting to. It was excusable in 2007, but the smartphone has been around for 5 years, and I'm amazed that phones still don't "ask permission" before connecting to something plugged into them.
"It's sort of insane how phones assume that any USB cable plugged into them is trustworthy for connecting to. It was excusable in 2007, but the smartphone has been around for 5 years, and I'm amazed that phones still don't "ask permission" before connecting to something plugged into them."
My 2010 HTC Desire Z (aka HTC Vision) can do exactly that, and I'm sure it is not alone in that. You can tell it that USB is for charging only, to pretend to be a USB stick to a computer, or to expect to find HTC Sync at the other end. Either default to one or to ask each time.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
