Hotel usb charging port safety

Hotel USB ports


  • Total voters
    19

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,772
Location
west Texas
Display Name

Display name:
Dave Taylor
What was the final conclusion on these?
Any real life reports/examples of nefariousness?IMG_1987.jpeg
 
For $20-$100, just buy your own travel charger and avoid the question altogether.

I never know what power situation a hotel is going to have, so I just pack to ensure I can take care of myself and not rely on anything other than a 120V outlet.
 
I bring my own charger, usually. I'm mostly not worried about the usb data, I'm concerned about the $5 outlet blowing up my computer when the voltage goes wrong. I have not seen that from a hotel port, I have seen it with discount store chargers. They do make data block usb cables and usb charge adapters, but an actual usb charger isn't that much more money, size or weight.
 
I guess that just because one is paranoid doesn’t mean they aren’t out to get one.
 
I have two of those in our guest bedroom. Could someone modify one and take over your phone? Anything is possible.

When I travel, I use my own charger.
 
While I'm aware of the potential, I don't think it's a realistic danger. For stealing such data to be useful they'd have to be doing one of two things: targeting specific individuals(celebrities, billionaires, political officials, etc) or they'd have to be mass collecting data from a large number of people. If the latter, it would have to be large scale and if any chain was doing that someone would find out and blow the whistle on it really quick. If the former, well, hopefully you already know who you are and take precautions. If anyone knows of a real world case of it happening I'd love to hear about it.

Having said all that, I have my own multi-port charger I take with me everywhere. Security worries aside, are you really going to rely on wherever you're staying having a charger for your phone?
 
I would imagine that (reputable) hotels would be fine to use their USB charging. The risk from a cheap USB would have to be unacceptable when you consider the inevitable costs that would result if it caused a fire. Loss of revenue from damaged room, cost to repair the room, and that is before we talk about any lawsuit from occupants. Further, I think if there was a substandard USB used that the insurance company would decline to cover the costs, so it would come back to the company.

For myself, I use wireless chargers, so even if we had a nefarious connection there, their outlet is connect to a wireless charger that then connects to my phone. Not saying it can't be done, because there are some really smart people out there, but I am not aware of anyone able to use a wireless charger to extract data.
 
I bring a charging port, but I'll use ones that exist. The only to "sentient" devices I have warn me if someone tries to transfer data rather than just providing power. I do have other things that they can have fun trying to talk to like my hearing air charger, my noise cancelling headphones, etc.
 
I bring my own and never use the one the hotel provides
 
I read the initial reports of this threat, and then the follow-on reports that say it's way overstated as a risk. I stay in hotel rooms about 8 nights a months, so it's of some interest to me, but I'm not concerned. Here's why:

Think about it - in hotels, these USB ports are usually in either a charging block (like in the OP's picture), or a clock with USB ports, or the lamp base, or built into a desk. To provide the power, this unit is then plugged into the wall. So if the unit is stealing data, it can't be transmitting it along the 120V lines (well, it technically could, but that requires even more complexity). It has to be either saving it internally or transmitting it somewhere. Saving it internally would require somebody going around to retrieve the data, and transmitting it somewhere would require something akin to a built-in cellphone. And, of course, someone on the other end receiving it. So we're talking about significant cost here. Especially since with a hotel room, you never know who is going to be staying in what room, whether they're actually going to use the USB ports, or whether they have any data worth stealing. The chances on any given night getting someone that matches all three conditions are likely very very low - but the cost of the equipment and monitoring is incurred whether or not you get any useful data. And you'd pretty much have to "bug" every room in the hotel. If there was such a large-scale thing going on, it would certainly make the news.

So it's a pretty high cost and low probability of success, which says to me it's not very likely. Far, far easier for the criminals to send out spam emails - also a fairly low probability of success, but virtually zero cost.

I could possibly see this type of USB hacking at a hotel in downtown DC where politicians and international dignitaries and such stay, but those are exactly the kind of people that would (should) be more aware of this kind of thing anyway.

But most importantly to me, in my experience, the USB ports are usually pretty low power for charging a phone or tablet - so I'll use my own for that anyway. I will plug in my earbuds or watch if I need to, I mean if the Russians want my workout history they're welcome to it.
 
You'd have more to worry about using the hotel WIFI which nobody seems to bat an eye over.
 
I would not worry about the charger...the tv remote is listening to your every word while the hidden cameras are watching you.
Some of my colleagues work in Russia and always stay in the same hotel. They joke about how their room is very safe from fire, because it has nine smoke detectors in it.
 
So if the unit is stealing data, it can't be transmitting it along the 120V lines (well, it technically could, but that requires even more complexity). It has to be either saving it internally or transmitting it somewhere. Saving it internally would require somebody going around to retrieve the data, and transmitting it somewhere would require something akin to a built-in cellphone. And, of course, someone on the other end receiving it. So we're talking about significant cost here.
Or it could install malware that makes your phone talk directly to a remote host.
 
Or it could install malware that makes your phone talk directly to a remote host.

Oh sure, there are lots of ways it could be done, but my point was it's not very likely given the low probability of success and high implementation cost.
 
Oh sure, there are lots of ways it could be done, but my point was it's not very likely given the low probability of success and high implementation cost.
The implementation cost is trivial.
 
The greater concern than hotel USB chargers is airport USB chargers. They get massive usage and have been known to be hacked.
 
You'd have more to worry about using the hotel WIFI which nobody seems to bat an eye over.
Correct. Which is why I refuse to use most complimentary wifi anywhere. Unlimited data plan for phone & iPad and click the hotspot on if my laptop needs it.
 
Saving it internally would require somebody going around to retrieve the data, and transmitting it somewhere would require something akin to a built-in cellphone. And, of course, someone on the other end receiving it. So we're talking about significant cost here.
A wifi chip with antenna is about the size of your pinky nail and costs about a quarter. Collecting the data would be trivial.

that’s not to suggest that I’m concerned about this attack vector. They are getting more data than they can deal with already without doing this.
 
A wifi chip with antenna is about the size of your pinky nail and costs about a quarter. Collecting the data would be trivial.

that’s not to suggest that I’m concerned about this attack vector. They are getting more data than they can deal with already without doing this.

I think that's my point though. 25 cents might be cheap, but it's thousands (millions?) of times more expensive than email or text spam. And for that you don't even have to leave your spam headquarters. To do the USB port trick takes some labor away from home at some point in the process. It's comparatively very inefficient.
 
Looks like outside of an old Defcon demo, “there are no documented cases of juice jacking ever taking place in the wild.”

That said, if staying in certain hotels in Russia or China, I might still use my own charger.

https://arstechnica.com/information...ic-charging-stations-needs-to-stop-heres-why/

My employer before I retired specified that only burner phones and laptops could be taken into China. Well, not so much 'burner' as dedicated hardware devoid of data or much of anything useful. My division didn't interact with Russia, so I don't know if the policy would have been the same.
 
My employer before I retired specified that only burner phones and laptops could be taken into China. Well, not so much 'burner' as dedicated hardware devoid of data or much of anything useful. My division didn't interact with Russia, so I don't know if the policy would have been the same.
We have encrypted drives. I leave most of my work on the network drives anyway because it is backed-up daily. The Chinese won't learn much from me that they can't get from journals anyway.
 
Trying to discern if something is likely by how cost effective the technique is isn't a valid method, for three reasons. First, because some of the people playing in this space have really high budgets and don't care. Second, and probably more relevant, because bad people are often really terrible at math. It's not unusual for people to spend 10x+ what they will bring in, because they're not bright. Finally, the costs involved can sometimes be way lower than you'd think. For a USB attack, I'd expect a USB auto install driver or auto-run vulnerability would be the easiest way in, especially against a Windows computer.

As far as overseas travel, the primary risk we see is that you almost always have to hand the device to customs for inspection on the way in, sometimes demonstrating it runs. So the expectation should be that software will be installed on the device at that point to compromise the data. And for some countries, China included, anything you do remotely while in that country is going to be captured. Not might, but will be, regardless of the security that you might have in place. This extends to "secure portals" run by US companies in that country. Some maintain data centers inside that country for access while in the country, which comply with Chinese law. That means monitoring is conducted. My current job, and it's not all that high security, I can't take an issued device outside of CONUS.

Wifi access? I mostly use my phone's hotspot. If I'm at an FBO or other place with wifi with PSK I'll use that. I generally - almost never - use the captive portals. Hate them. For my personal devices I don't use a VPN. The only point I see of a commercial VPN is getting content that is blocked in your current area, and I don't do that.
 
My employer before I retired specified that only burner phones and laptops could be taken into China. Well, not so much 'burner' as dedicated hardware devoid of data or much of anything useful. My division didn't interact with Russia, so I don't know if the policy would have been the same.
When going out to dinner in China, I would leave a stray thread or piece of lint on top of my laptop in the hotel room safe, only to see it under my laptop when I returned.

Enough said.
 
Trying to discern if something is likely by how cost effective the technique is isn't a valid method, for three reasons. First, because some of the people playing in this space have really high budgets and don't care. Second, and probably more relevant, because bad people are often really terrible at math. It's not unusual for people to spend 10x+ what they will bring in, because they're not bright. Finally, the costs involved can sometimes be way lower than you'd think. For a USB attack, I'd expect a USB auto install driver or auto-run vulnerability would be the easiest way in, especially against a Windows computer.

As far as overseas travel, the primary risk we see is that you almost always have to hand the device to customs for inspection on the way in, sometimes demonstrating it runs. So the expectation should be that software will be installed on the device at that point to compromise the data. And for some countries, China included, anything you do remotely while in that country is going to be captured. Not might, but will be, regardless of the security that you might have in place. This extends to "secure portals" run by US companies in that country. Some maintain data centers inside that country for access while in the country, which comply with Chinese law. That means monitoring is conducted. My current job, and it's not all that high security, I can't take an issued device outside of CONUS.

Wifi access? I mostly use my phone's hotspot. If I'm at an FBO or other place with wifi with PSK I'll use that. I generally - almost never - use the captive portals. Hate them. For my personal devices I don't use a VPN. The only point I see of a commercial VPN is getting content that is blocked in your current area, and I don't do that.

Not to disagree, but I doubt much of that applies when staying at a Motel 6 in the middle of nowhere...
 
Not to disagree, but I doubt much of that applies when staying at a Motel 6 in the middle of nowhere...

:) I agree with that! With the minor caveat that malicious people are roughly randomly distributed in the environment, or at least that's been my experience.
 
When going out to dinner in China, I would leave a stray thread or piece of lint on top of my laptop in the hotel room safe, only to see it under my laptop when I returned.

I think you have to affix a telltale to an object, otherwise the air currents produced by opening the safe door could easily swirl it around, even putting it underneath the laptop.
At least, that's what I learned in spy school. Which I attended with Bond.
 
When going out to dinner in China, I would leave a stray thread or piece of lint on top of my laptop in the hotel room safe, only to see it under my laptop when I returned.

Enough said.

and the well-trained agents will look for telltales before moving things...
 
You'd have more to worry about using the hotel WIFI which nobody seems to bat an eye over.
You can get around those problems if you pick up one of the Travel Routers. These are fairly inexpensive but permits you to hide behind your own router with your one SSID and password with the option of connecting your laptop to that with Ethernet. I picked up one from Amazon and love it.
 
You can get around those problems if you pick up one of the Travel Routers. These are fairly inexpensive but permits you to hide behind your own router with your one SSID and password with the option of connecting your laptop to that with Ethernet. I picked up one from Amazon and love it.

somehow I can't shake the thought that those Travel Routers are made in

wait for it


wait for it


wait for it



China
 
Stealing data is highly unlikely with modern mobile OSes that are much more wary of random USB connections than the early days. That threat model requires a sophisticated attacker to pull off.

I rarely use public USB chargers simply because they are often providing crap DC 5V power which can mess with the digitizer and is not as good for the battery as a high quality power brick.
 
Stealing data is highly unlikely with modern mobile OSes that are much more wary of random USB connections than the early days. That threat model requires a sophisticated attacker to pull off.

I rarely use public USB chargers simply because they are often providing crap DC 5V power which can mess with the digitizer and is not as good for the battery as a high quality power brick.

the better the OS security, the more the attacks focus on IO*

*IO - incompetent operator
 
I like to carry my own chargers, works when you’re waiting out weather at an FBO. Some hotels don’t have enough plugs for all my portable devices.
 
I never worried about it much domestically. But international? Defintely paid attention and did not plug into USB ports. I have a couple of "power only" cables as well. But I worked in defense contracting and we were frequently targeted overseas. Cost is not an object nor a detriment in that environment.
 
Back
Top