GUWonder

The questionable things that some people do for their jollies may not be limited by their intelligence and capabilities to be intelligent. A lot of criminal activity is a matter of an exploitation of opportunity using means acquired from earlier criminal activity ... and doing so whether or not it’s easier or harder than the precursor criminal activity or other (perhaps more financially-lucrative) criminal activity done. And the follow-up criminal activity need not even be done by the same person as stole the data in the first place.

I would have to assume that data theft from a train is simpler than from the plane since installation chances for ground-based data connectivity is cheaper, easier and more reliable to get and maintain than it would be for common carrier flights.

Who ever said that criminals are always wise in their ways? No one intelligent.

Would some governments engage in “juice-jacking”? Governments tend to be more capable than individual criminals, and some governments do allocate resources for this kind of thing.

gfunkdave

Apparently it does. I just plugged my phone into a USB port on my dock after the phone had been locked for an hour or so. It immediately started charging but a message appeared on the lock screen saying "unlock iPhone to use accessories".

I don't think the cable vendor matters these days. The Lightning connector has a vendor ID chip that is designed to ensure only Apple authorized cables work. But the encryption was broken long ago, and now I think anyone can make a working Lightning connector.

freQ

This seems like the 2019 version of RFID wallets... while possible, I'm not sure how widespread this threat is. Most public outlets are broken or loose in my experience, so I just carry around a power bank when I travel.

KRSW

This discussion popped up over on the Marriott forum last week: Are USB ports on Night Stands Safe To Use in Hotel Rooms For Charging?

here's what I wrote over there:

Wow, lots of paranoia going on out here. While a USB attack is theoretically possible, and may be possible with ancient devices, but anything modern shouldn't be affected. I don't know about AppleLand, but over on the Android side of the fence, your phone will prompt you for permission if a USB device tries to connect. Android's not been susceptible to this type of attack since early 2013 (Android 4.2.2). Even if you did 1) unlock your phone AND 2) accidentally click Yes to grant permission, you still have to 3) manually enable Developer Mode *AND* 4) turn on USB Debugging **AND** then 5) grant SSH permission. That's 5 steps, and enabling Developer Mode is a multi-step process involving hidden menus, so your average user isn't going to be accidentally enabling that.

FWIW, I use public charge ports without worrying about it, and yes, I'm the type of person that usually has a RaspPi ZeroW running as a packet/WiFi sniffer in my bag when I travel. I've never had a charge port try to establish a data connection.

The apps on your phone and websites you use are far more of a threat to your privacy and personal information than these theoretical attacks. You should see all of the things your phone does and all of the servers it connects to when it's just sitting there idle on the table. For those who are curious but not the most tech savvy, take a look at the Pi-Hole project. It lets you take a cheap RaspberryPi computer and turn it into a hardware ad blocker. BUT its logging and interface are very user friendly and you'll be amazed by what your mobile phone's doing without you knowing about it.

PAX_fips

Sorry, but this relies on the questionable fact that this android security layer cannot be bypassed.
Happens that the very old AT layer can be a vector in this:
2018: https://threatpost.com/at-command-hi...attack/136938/
2019: https://gadgets.ndtv.com/mobiles/new...huawei-2130854

I just use a 'power only' USB cable and by default BT is off. USB3 can be problematic here when
the device "needs" the data lines to control the 'turbo charging' - test before you leave home or use an AC-adapter.

About "how to get the data".. a typical malware would try to get ON the phone and so can transmit later (e.g. after landing).

der_saeufer

+1 million.

Hacking phones through USB chargers and credit card fraud via RFID are both theoretically possible to some extent, but there are vanishingly few reports of either one happening in real life, simply because if the goal is to steal people's personal information or money, there are far more efficient ways to do so.

I never use public charge ports because I don't carry a USB A-C cable and don't feel like sitting around for 3 hours to get the charge my 25g charger could deliver in 30 minutes. Who are all these people that travel without their AC chargers? (ETA: OK, I'll concede that there are some aircraft with a USB port on the monitor but no AC power, so I can get plugging in your phone while it sits in your bag--the only time you can have too much fuel is if you're on fire--but hotel rooms, restaurants, airports, etc. I don't get)

GUWonder

Many people default to approving things on/for their devices even when there is a message that some others would take as (and act upon as) a warning to proceed cautiously or to not proceed at all. Just look at how people hook up their phones to some rental cars to get a sense of what many people do.

By the way, there are also reasons to not allow for automatic updates of operating systems or apps on your devices, but most people are willing to do things or let things be that come across as convenient to them (including having phone apps which are a data sponge too). And there are also reasons not to click willy-nilly on links in emails, in electronic messages of various sorts, and in social media forum posts — FT included — but most people tend to default to what they consider convenient. Will this kind of easy/lazy behavior necessarily result in a problem? Not for all, but for some it definitely does result in a problem and it is just a matter of “when” and not a matter of “if” for many others even if not for most others.

No harm in being informed about threat vectors, but it’s also important to try to get a sense of perspective about what are the greater risks out there.

pseudoswede

I have no doubt there are probably some zero day exploits that can enable all of that without user intervention (on both Android and iOS). Then again, it's been proven that you can simply hide a wifi adapter and malicious code in a USB cable. All of these exploits are pretty much saved and targeted at extremely important and/or dangerous people, not a random USB port in an economy seat in an airplane.

That all said... today, we worry about card skimmers at ATM machines and gas station pumps. Tomorrow, we'll probably have to worry about juice jacking.

Analise

While I haven't read that Marriott thread above which you described, my starting this thread was not out of paranoia. It is to seek clarification. The media has been focused on people's bank information being compromised and thus bank accounts emptied. Does this sound like Y2K? Yup. That said, I had never heard anything until the LA County warning. As someone upthread said, if this were a real threat, why would only a county issue an alert? There was also no mention of public ports on transportation which is why I brought that up.

The contributions on this thread have been quite helpful and I thank everybody.

KRSW

FWIW, I copied and pasted the exact post from the Marriott thread on the same topic. The first handful of messages there were indeed paranoia-based, and this wasn't aimed at Analise .

I'd take warnings from non-experts with a grain of salt these days. Let's all point and laugh at the Collier County Sheriff's Office who sent out public alerts over a fictional drug made from raw sewage. Ask any airline pilot about news reporting of aviation and usually the first response you'll get are eyes rolling, followed by examples of where the media was making it sound like an aircraft was on the verge of sudden doom and crashing!!! When really, the pilot and flight were well within normal procedures, no danger at all.

TheMadBrewer

The (theoretical) danger is not they'd copy the data on your phone but install some malware that would let them have access to what is one the phone "over the air."

I have noticed that -- on Delta planes at least -- the USB port is not just power but does have a data connection. I assume this was so that you could stream content from your phone on the seat back screen or some such. There have been stories of people hacking into the Linux system that runs the IFE and it is conceivable (but not likely) that somebody might be able to gain access to your device this way. I don't loose sleep over it but I do use a "USB Condom" when I do use the seat back USB port.

DeafFlyer

If you do unlock the phone is it the same as giving permission? People say that they can only get you if you give them permission. That's why I ask the question.

docbert

What you've described is what's needed to access some form of admin-level control over the device. That's very different to, for example, allowing access to photos and other content that has been stored on the device. The steps required to give access to this content varies depending on the device/model/software, but as be as little as simply needing to have the device unlocked - or potentially not even that if you've changed the config on the phone to always allow access.

I would argue both of those are a danger. From nudes to personal documents saved in the Downloads directory there could be plenty of content on a phone that would cause issues to a person if it was leaked. Yes, malware being installed is worse, but that does require significantly more effort.

I can't speak for Apple devices, but on Android it depends on the device. On some, simply unlocking the phone is sufficient. On others, you need to manually approve every connection by default, but the defaults can be changed...

TheMadBrewer

Yes, both are dangerous. I was more responding to the guy who was saying trains and planes were not a problem because it would be difficult to retrieve the copied data.

HDQDD

I'd never plug in to a public USB. Not so much for the virus/malware reasons, but because I don't want the chance of dirty power/low amperage. Many of those ports are only 500mA. You can get a cheap power bank that will provide >=2A.