49 comments

[ 3.8 ms ] story [ 107 ms ] thread
I feel the easiest path around this is to use wireless charging instead of plugging into a multi-use port. As we have seen operationalized USB attacks, I don’t quite buy the premise of the article.
Wireless charging is so wasteful. We all want to save the planet we should not be wireless charging until we get a much higher efficiency setup.

Fast charging also produces a lot of waste heat. Out phones should know our patterns and for example slow charge overnight. Similar to what Apple started doing with the MacBook where it won't charge to 100% if if knows it will be attached to power.

Slow charging etc. is nice for laptops, but for phones I wouldn't even bother. If you use your phone for navigation in summer, it's very likely your phone's battery will degrade rapidly anyway due to the heat.
> We all want to save the planet we should not be wireless charging until we get a much higher efficiency setup.

I doubt that those couple of watts per phone will make a dent even if we multiply them by a billion. Wireless charging is 70% efficient in theory, but lets move to 50. So a 17 watthours battery (biggest currently in phones) would waste 17 watthours per charge - equivalent of my any of those - my induction hob, my oven, my electric water heater or my oven working for 30 seconds. Or my gaming PC for that matter.

so 7 billion people, fully charging their phone each day, the phone battery being the biggest one on the market - each year they will waste around 0.17 percent of world electricity production. But since wired charging is also not 100% efficient - if we give it 90% efficiency - this means that we are saving in that case 0.12 percent of world electricity.

I doubt that it will save the planet. The only think it will help is make some people feel righteous with symbolic gestures.

> 0.12 percent of world electricity

That seems a lot? I’d have guessed it’s a magnitude or two less

It probably is order of magnitude less in reality since I was looking at worst case - chargers are actually 70-sh percent efficient not 50 which almost halves it. Also far from everyone on the planet has a mobile phone, let alone high end flagship.

What I mean is that there are much easier fruits to pick without sacrificing even tiny bit quality of life.

The estimate was given assuming every person on the planet fully charged their phone every day.

The number's going to be higher than reality.

> Fast charging also produces a lot of waste heat.

Legit question about this, I couldn't find any references.

Does fast charging produce more waste heat than regular charging per mAh charged?

I couldn't find information on this.

It's quite obvious that fast charging makes your device hotter, but this could be just because the heat has less time to dissipate.

It's less power efficient than a cable, so trivially it's going to generate more waste heat (sure, there might be small amounts of power released as RF, but typically, innefficies in electronics result in heat).
That was not the question though. The question was the difference between fast and non-fast charging.

To get a good comparison we need to do wired fast vs wired non-fast, then wireless fast vs wireless non-fast.

> Wireless charging is so wasteful

Just how wasteful is it? 70-80% vs 9X% considering how little power phones use on average is insignificant…

You’d save what? 1-2 kWh per year at the very most? Totally irrelevant..

I googled and the first result said a pixel 4 charging from 0 to 100% takes 14 Watt hours by cable and 21 Watt hours by wireless. That’s saving maybe 60 cents of electricity in a year of charging if you run the battery right down every 2 days.

Nothing compared to the spending and pollution of gas to go a distance one could comfortably walk or bike - most vehicle journeys in the US.

Scale matters though: there are about 15 billion mobile phones in use, which means an theoretical excess power usage of 90 terrawatt-hours; about a week's worth of output for a nuclear power station.
I doubt there are 15 billion mobile phones in enough use that they are fully discharged and charged every two days. That's two for every person on the planet including including the 2Bn who are under 14 and including the billion who have no access to electricity. In electricity terms, a power shower can be 5-10KW so what you're talking about - the phone charge waste - is the equivalent of running one at 4KW for 7 seconds longer. Who is campaigning to get people to shave 30 seconds off their shower time?

Compare with the amount of money, energy waste, heat waste, pollution, of driving every journey less than 3 miles which could plausibly be biked or walked or bussed or trammed - between North America and Europe closing in on a billion people, estimate 20% of them driving 3 miles every 3 days and we're in the region of 200,000,000 miles of unnecessary driving every day and tens of millions of litres of gas/diesel burned

I believe wireless charging still has communication between the pad and the device, so you still have an attack vector
Is this true? I have never seen it.
The easiest path is to hit "no" if your phone asks whether you want to trust the device it is connected to. Problem solved.
Yeah, hackers have never bypassed a "no" prompt before.
If hackers can do anything then why even use a phone?
Because they perform functions people find vital to their daily lives?

What is the point of this question?

I'd argue keeping your phone charged is pretty vital too.
"This is, by the way, exactly how these things are supposed to work: Someone points out a vulnerability in technology and its manufacturers or developers figure out a way to fix it."

Uh.. no. It should be designed with security in mind which is obviously wasn't.

Yeah - if they were able to demonstrate this at DEFCON then it had most likely been exploited in the wild somewhere as well.
I mean… in hindsight, you could say that about almost everything, as soon as some way is found to exploit it.

I hope you don’t disagree with the idea of that once a vulnerability is disclosed, the manufacturers/developers should fix it, and that’s a good model for this fallen, insecure world of ours. Of course, the best model would be to have no security holes at all. But everyone knows how realistic that is…

Charge your power bank from the questionable USB, then charge your phone from the power bank. If your power bank supports pass-through charging you could do that, but some chipsets are actually USB hubs and don’t provide isolation.
Just use your wall plug and one of the many ubiquitous plugs for it conveniently placed all over the world.

As a bonus, no surprise compatibility issues with fast charging or anything.

"There no report about real-world juice jacking". But that doesn't mean that it does not happening right now?

I mean, how did you know that someone not copied info from your phone already?

[dead]
How do you know someone can't just do it wirelessly?
Yes, thats my question )
By that logic you should be putting your phone in a faraday bag 24/7, because even there's no evidence of a wifi/bluetooth 0day, "that doesn't mean that it does not happening right now".
We have agencies and groups that actively trying to find and patch this vulnerabilities, in your opinion, should we ignore these exact report because its impossible to verify fact of breaching?
I think juice jacking is one of those things that's about a lack of real engagement about risk. Yes it's all very 007 to plant a dodgy usb charger, but it doesn't really reflect the real threat profile in the world. If you're just an average guy the biggest risk to you of someone stealing your phone and accessing your data is having your phone out as you walk through a city and someone will just snatch it out of your hands. If you're a head of state you should be more worried about someone like the NSO group and you should be operating a whole host of security practices. And as well as all this remember - the way Stuxnet was delivered wasn't some subtley planted infected phone charger, they had a mole on the inside who inserted the infected USB stick in the full knowledge that what they were doing was breaching security.
I thought they used the Russian consultants as a vector by infecting their laptops before they went inside the airgapped system? I was under the impression that this was the reason Stuxnet spread so far and wide, because it had to spread organically to the Russians' devices. Time for a Wikipedia rabbit hole, I guess.
What about placing public, malicious chargers at the cafe across the street from the busy office building owned by a company whose data you'd really like to steal? It's sort of like the old tactic of dropping interesting-looking USB drives/CDs in the same kind of area, hoping that someone will be dumb/curious enough to plug it in.

It's about application and context.

If, as a company, you’re expecting all your employees to be opsec experts you either have 1 employee or you are planning to fail. This is like that bullshit fake “phishing” email corporate IT departments send out as a test. The only thing it proves is your attack surface is too large.
This is assuming that zero day exploit are always exposed on public. In reality huge chunks of zero day exploit only in black hat and NSA hands.
> Most phone manufacturers have since added a prompt asking the user if they’ll allow data to be exchanged.

And doing it badly. I am sometimes using external keyboard connected via a charging hub. The Android phone happily accepts keyboard input regardless of "charge only" setting.

I think by "data transfer" they mean photos/file transfer, or itunes backup/sync on ios. If you want to really get nitpicky about it, usb power negotiation counts as "data transfer".
So it's a non-issue, or what you're trying to argue?
The comment I replied to

>> Most phone manufacturers have since added a prompt asking the user if they’ll allow data to be exchanged.

>And doing it badly. I am sometimes using external keyboard connected via a charging hub. The Android phone happily accepts keyboard input regardless of "charge only" setting.

I'm pointing out that "data transfer" claim is technically true (ie. a keyboard does transfer data), but not the threat that the article describes (ie. file/media transfer). You can certainly pull off some sort of an attack with only keyboard/mouse input, but it's far harder to pull off and much more obvious.

I think it would be pretty hard for an attacker to do damage merely by sending keyboard input, particularly without the user noticing. Not impossible, but also not worth worrying about if you're not POTUS-level.
Phones behave strangely all the time even without being hacked.

Oh right, since i'm not POTUS then nothing really is at stake, merely my online identity and banking stuff and communication with kids' school and such /s

Well… I think that there are some real threats with chargers and usb cables and it’s not urban legend. Have a look at O.MG and badUSB cables over at https://mg.lol

I agree that it’s not something widespread and we’re not exposed to a real and immediate danger, since these kind of devices are used in targeted attacks, but nevertheless the technology for such things exist.

Another disingenuous article about security by people who don't understand security.

The risk may be low, but it is extant, and it is avoidable by simply not using suspicious public chargers.

Do otherwise at your own risk. These attacks were already demonstrated years ago. "Waaahh it's just a POC" sounds exactly like a desperate engineer clutching at straws. You are truly, genuinely, desperately naive if you don't think a publicly-available POC for widely-used tech that hasn't been properly addressed isn't being deployed in the real world.

Can we just filter Vox and their uninformed drivel? I cannot recall an article by them not full of errors and bias. Its hard to call them a 'news source' with a straight face, no matter your political leanings.