The porta-power ones you can see the physical USB data connections are absent, so probably safe even if free. But for anything else with those connections still there, free or paid, I'd be suspicious, unless I cut the data wires myself.
I've been carrying an earlier version of those in each bag many years.
They also make guaranteed data-blocking cables cables, but getting the blocker as a dongle means I can carry it plus a data cable for my phone, and not have to carry 2 cables.
(When I do find an unmarked USB cable that appears to be charging-only, like that came with a used phone and a firestarter wallwart, I destroy it.)
I bought one for the car because I wanted to use a very short USB cable with a 90° plug which didn't exist as a charging-only cable.
I think it's funny how one thinks that damaging the cable sheath just to cut two cables makes one end up with a proper charging-only cable which one would actually like to carry around.
I've seen enough Apple Lightning cables which are damaged near the connector where I always think: what kind of people are these who are okay with this?
I do cut USB cables, but it's for tinkering and not for normal use.
OK, so the FBI is on this. Are they doing something about the problem? Like finding these things, tearing them down, and finding what they're doing and where the data is going. Or are they just issuing press releases?
If someone managed to install something like this in a wall plate in an airport, they could be doing far worse things to the airport infrastructure. Homeland Security should be looking for these things, with people plugging testers into USB power outlets. If they talk on the data lines at all, there's something funny going on.
They install them in cars, airplanes, and airports already. I'd bet in the future we'll hear from some whistleblower about how three-letter agencies are using data available through those connections for surveillance purposes.
Power-only USB cables exist if you're still charging a device with a charge port other than USB-C. It does seem that part of the push for USB-C is to ensure that data connectivity is always available for in-/exfiltration.
>The tweet's message that public USB ports have been used by "bad actors"
The tweet doesn't say that, it just says that "bad actors" have developed methods of using USB ports for nefarious purposes. Which has been known for over a decade now, but I don't think there's ever been a recorded case of it being done in the wild.
It doesn't seem like the kind of attack that would be easy to hide either, unless accompanied by some zero day that bypasses the accept data transfer prompt.
That's nonsense. Like half the people in this thread seem willing to use a public charger and would find it odd if it requested data access.
I admit that the percentage of people that would do that is low, but even at like .1% that's one in a thousand which a public charge station could see hundreds to thousands of users per week. If these were around they'd be spotted.
At best 1% of people in this thread would be capable of noticing a well mounted attack of this sort, and I assure they would not be using a random charging station :) (Or they will do it with device locked or turned off, which mitigates the attack but also means they wouldn't find out about it.)
Many devices do not request data access for an input accessory like a mouse-- and if you gain input you can dismiss the popup instantly in your exploit.
Also, many people might not pay attention to that popup.
>and I assure they would not be using a random charging station
Have you read the thread? Plenty of people are saying this risk is overblown and not to worry. The top 3 comments all express this sentiment.
>and if you gain input you can dismiss the popup instantly in your exploit.
Do you think using a mouse on an unlocked phone would go unnoticed? There's also a fair amount of disagreement over whether a mouse will work without input.
We've had security researchers notice USB device attacks on computers, the same sort of attack except it will likely only hit one person. This kind of large scale attack where thousands have the chance to notice would be observed.
>It doesn't seem like the kind of attack that would be easy to hide either, unless accompanied by some zero day that bypasses the accept data transfer prompt.
If your concern is zero days, nothing you do with your phone is safe. Making a big deal about this one thing seems silly. A similar thing if your concern is nation states, like in the Stuxnet attack.
You're also safer if you leave your phone in airplane mode, or better yet off. Juice jacking is possible, but there's no evidence it's been deployed. A zeroclick attack seems like a much bigger threat, and I can't do much against that.
>If you live in the middle of USA you are probably OK but many people live in or near nation states that could totally install juice jackers centrally.
You're missing the point. If your adversary is a nation state, you're already screwed. They have better methods of attack than hoping you need to battery is low in some specific location.
edit let's assume I run a criminal organization and want to effectively use juice jacking. My first step would be to purchase several expensive zero days, and then develop some kind of software to launch it and to assure only phones susceptible to them get targeted, otherwise people will quickly notice something's wrong.
Then I need to get access to real estate in a high traffic area, where I'll need to buy electricity and run some kind of data server. Then I'll need to get people to sift through the resulting data, and the "payoff" is what, banking details or credit cards? Attacking an ATM seems way easier.
> You're also safer if you leave your phone in airplane mode, or better yet off.
The goal is not to eliminate phone use but to use it safer.
> You're missing the point. If your adversary is a nation state, you're already screwed. They have better methods of attack than hoping you need to battery is low in some specific location.
Being individually targeted you'd have to do a lot more, lockdown mode and all that. Juice jacking from a charging device in a public place is a mass attack, and the measure is very simple-- don't use public USB ports.
> edit let's assume I run a criminal organization and want to effectively use juice jacking.
If your criminal organization is also the government then it's a bit easier than what you describe.
> assure only phones susceptible to them get targeted, otherwise people will quickly notice something's wrong
The attacker simply disconnects data if exploit doesn't work right away. Not many people would notice a split second of a popup.
>If your criminal organization is also the government then it's a bit easier than what you describe.
The real estate part is, the rest isn't.
And without the financial incentive the benefit becomes unclear. Presumably spying, but you're either hoping to randomly get a high profile target or needing to trawl through a truly massive amount of data for some unknown potential benefit.
There are better methods of individual targeting and mass surveillance available to the state.
Mass surveillance running real-time face and gait recognition from millions of cctvs is where massive data is. But that surveillance won't tell you who's e2e messaging journalists, you gotta get into the device for that. Physically getting a hold of the phone is hard and NSO won't sell you Pegasus. Moreover you don't even know who are the "bad guys" with inconvenient opinions to start with. But set up a juice jacker and targets come to you. If you get a few dissidents and their contacts, a few of the wrong religion, a handful of your regular civilians who are traveling abroad and can be blackmailed into spying with spicy photos from the hidden folder. Small amounts of data and much boost for your hot career as a despicable dictator.
is there any reason to believe that this is a problem, at all, with modern phones? or is the FBI just warning us about a problem that existed a decade ago and has now been solved.
as far as i know, any somewhat recent version of either android or iOS connect in a charge-only mode to any untrusted USB port. if you want to connect in a way that allows data to flow over the connection, you have to accept a prompt in the phone. should i be worried that this system has been compromised?
I suppose there could be some elaborate set of exploits which nullifies the protected pathway, but it seems a stretch that it would be used in a generic fashion to grab randoms at the airport.
Personally, I never use public usb ports because I think it is more likely that some jerk has wired up the port to 120V. Circumventing the OS protection to grab my data feels seems less likely than chaotic destruction.
You could use one of those small usb voltage meter devices to check the port before plugging in your phone. Depending upon the model it may also nullify the data pins.
That sounds like it could lead to an interesting conversation with airport security later when trying to board the plane. "That? Oh, that is just for checking charging ports..."
you'd think that, but i've never had a problem flying with homemade electronics. security has their list of banned things, and if it's not specifically on the list they don't care.
or at least, that's been my experience as an average looking white guy. it's probably not true for everyone.
> Personally, I never use public usb ports because I think it is more likely that some jerk has wired up the port to 120V.
I don't, because while that's unlikely, what is almost certain is that the port only does charging at the lowest default voltage/amperage, which for at least 5 years now is not enough to charge a smartphone on standby.
The "charge only" option has been there for over a decade. The fact that, at least on my generic Android it causes the USB host to not even see a device being connected, almost as if the USB controller is completely disconnected, suggests that it's unlikely to be attackable via software means. As the sibling comment mentions, physical damage is still possible by overvolting or similar.
I suppose a charitable understanding of this “warning” is that less savvy users (e.g., my parents) may blindly accept the iPhone prompt to allow a connection to do non-charging (nefarious) things?
Between the advances in modern phone battery life over the years, and the relative affordability (cost, size, weight) of USB batteries, I can't recall the last time I actually used public ports. Why be tethered to a port on a wall when you can walk anywhere with an external battery temporarily in your back pocket or backpack? Get a battery that supports fast charging, and you'll be able to recharge a lot faster than most of those public ports anyway.
Depends on what you mean by a "public port". For example if I'm sitting on a train / plane / airport, I'm going to charge from there rather than using my own battery, even if I have it.
No, OP refers to the charging function. I'm calling out the USB stack these are different things.
Maybe this discussion is too nuanced for HN. Best we just tow the line, and agree that phishing and websploits is the biggest problem and other issues are not worth addressing even when we can.
USB is just the tip of the iceberg at the bottom of the stack. It's possible to restore and synchronize contents to and from Apple and Android phones to a computer over USB. The attack surface is therefore the OS and applications as well as the hardware including firmware of chips.
But doing so, at least on an Apple device, requires me to explicitly say I trust the USB port I’ve plugged in to. Maybe some people would do that, but I’m sure as hell not going to blindly approve that when charging my phone on the bus.
The important news here is that someone at the FBI thought it was a real threat and worth telling us all about it.
What's going over there I wonder?
It's like this guy I used to work for. Anytime someone would ask him to make a pdf copy of a document he would print it out, scan it on the copier and email it to himself.
There has to be some of those types over there. This came from their desk.
> Anytime someone would ask him to make a pdf copy of a document he would print it out, scan it on the copier and email it to himself.
That's a pragmatic strategy to ensure that sensitive information isn't leaked.
Other than potentially including useful vector formats of artwork such as seals, logos and signatures, the visibility and/or mask settings can easily hide sensitive information that is trivial to extract later with standard vector editing software.
The print+scan method ensures that the person sharing the file is fully aware of exactly what is being handed over. It also deals with redactions which were not implemented properly.
A paranoid person would point out that information can be encoded in a way that is not lost when printing / scanning too, just with more effort. Of course I'm not such a person. ;)
Yet redaction failures are just one of many ways that a PDF can overshare, simply printing and scanning it solves a great many problems. I think it's a good approach for people who aren't tech savvy, especially with longer documents.
1) Print
2) Cut out the parts you want to leave out (blacking them with a market might leave an opening for revealing them via some contrast tweaking)
3) Scan
Easy to explain, easy to implement, easy to remember.
Make sure those cuts are done sloppily. If you know what the font is, it's possible to derive details about the text that was redacted using kerning information. This matters more for digital redaction, even if the data is actually removed and not just covered with black rectangles.
It's not news though. "FBIDenver" tweeted a PSA about avoiding public charging stations on April 6th of this year. When asked if they'd sent the tweet due to new threat intel, they revealed that no, there was no new intel, they were just rehashing an FCC report from 2019.
Many (most?) mobile devices still support connecting HID devices such as keyboards and sometimes also mice without confirmation.
Emulate one of those, navigate through settings and change things to your liking, then optionally initiate a disconnect/reattach as another device type of your choice, and boom.
Even when they do, humans are not particularly reliable in that regard. Many carbon-based computers have been conditioned to answer "Yes/Approve/Allow/etc." to all the annoying little pop-up questions that modern silicon-based computer crap force-feeds them.
Can't the charger emulate a mouse/keyboard? It can also add a mass storage and confirm its usage with mouse. It's a bus after all.
Edit: just checked - it's indeed possible with Android 14. Connecting a mouse doesn't require any confirmation. As long as the phone is unlocked, you can adjust the USB settings with that mouse.
The standard usb data pins are not used to negotiate the power profiles. The pins used for negotiating power profiles should be much safer, with fewer venues for exploit. Maybe not impossible in all cases, but it’s trivial to design a system that could not be exploited via the power negotiation pins.
Are ther packs that support pass through charging robustly? I have tried with three different ones and two do this sporadically and the last one lenovo go, seems to support it only from the male plug, which is next to useless. Or at least I do not have a single usb A male - usb - c female cable that would be required in most cases.
I'm using Xiaomi 20,000 mAh power bank, and passthrough works great.
Mine only supports 18W out, when I have my 30W charger plugged in, the power bank charges as well.
Those are extra instructions that only apply to Bluetooth devices. You still have to enable AssistiveTouch in general for any pointing device (wired or wireless).
I've used a mouse (non-Bluetooth) with my son's iPad Pro (within the last year), and I didn't have to enable AssistiveTouch. I just checked and it's not enabled.
Is this requirement a very recent change?
(I don't have my own iPad with me right now, but I don't recall enabling AssistiveTouch to get the Logitech keyboard+trackpad working.)
EDIT: I looked online and apparently prior to 13.4 AssistiveTouch was required to use a mouse. But now you don't need it if you only want basic mouse functionality.
there is special lightning and usb-c cables too that look like charger but is a programmable keyboard. this is a real threat, although unlikely atm unless you are targeted.
My Fairphone 4 with vanilla Android 11 when connected to a USB C monitor will immediately mirror the screen without any sort of notification, so an evil charging port could at least record everything I do, no zero days required.
We always used these in red teams…scatter them around the client’s office. Haven’t seen malicious thumb drives fail once bc there’s always someone thirsty enough to plug one in.
The O.MG cable proves that there are widespread vulnerabilities to exploit.
The fact that this hasn't been exploited in the wild much is good, but doesn't mean that the advice is wrong. Unless the vulnerabilities themselves are all patched it _will_ be exploited in the wild eventually.
I tend to agree with the first poster re risks but perhaps there's an easy vulnerability we're unaware of. I don't use an O.MG cable but I do use OTG regularly. On some phones it times out and the USB reverts to charging, on others it doesn't which poses a potential risk (but OTG-always-on is more convenient so I tend to leave it configured on phones that allow it).
Infection is now potentially higher due to increased OTG usage given the removal of MicroSD by many manufacturers. (The removal of the MicroSD has been a damn inconvenience irrespective of the OTG matter.)
> There are no reports of such attacks ever having happened in the wild.
The FBI disagree:
> Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.
I'd rather take advice from them than a random commenter here who has no insight into what's actually happening within the criminal world.
No it doesn't. The line you quoted says such an attack is theoretically possible, it doesn't say it has ever happened. And as another comment mentions, the tweet wasn't some update on things happening, they were parroting an old general practices guide.
Either 0-day or JTAG and those are popping up more now as more people are reverse engineering phones to do forensics. Search YT for videos. Either way for the paranoid USB condoms are cheap. One can get a pack of them for under $9. Some of them can protect from over-voltage. Flaky hanky janky power supplies technical term would be more of my concern.
I personally just prefer to charge a cheap USB battery so that I can use it for anything that needs a charge. Many of them now also have a flashlight like the phone.
I generally avoid public USB chargers, not because of security risk, but because they are typically 5V and less than 2A. If there is mains power then I can use an adapter and charge at a reasonable rate.
I avoid that potential problem altogether by charging my USB battery pack from the public chargers, and simultaneously using a different port on the battery pack to charge my phone.
Reminds me of the USB condoms we used to solder at a workshop (it's just USB without connecting the data pins). They didn't work, probably coz it was our first soldering ever heh
This threat is far less dangerous than the threat of automatically connecting to certain free wifi ssid's that could be harmfull to one of the thousands of possibly compromised apps.
It is more likely to have your finger and hand prints stolen using a Dyson hand dryer in a public bathroom than a public USB charging port doing anything. Like the Dyson hand drying instructions say, move your hands spread out slowly up and down...
Tom Uren and grugq did a podcast on this recently in Risky Business News [0]
I think the main point was that these attacks are physical, don't scale very well, and are untargeted because they depend on luck, so an adversary probably would use more efficient techniques. Unless of course these USB charging points happen to magically cluster around important secret carrying government buildings or other points of interest.
Charging stations are ubiquitous in China, widely used, and they're internet connected - to facilitate payment. Every mall, hotel, and many other businesses have these placed strategically (in front of restrooms, in the gym, etc.)
Not quite a physical attack anymore if you pwn these remotely.
Granted if the situation in the US is still the same as Europe's rather than China's, it's a nonissue. Last I checked few people there ever used these.
117 comments
[ 5.1 ms ] story [ 181 ms ] threadThey also make guaranteed data-blocking cables cables, but getting the blocker as a dongle means I can carry it plus a data cable for my phone, and not have to carry 2 cables.
(When I do find an unmarked USB cable that appears to be charging-only, like that came with a used phone and a firestarter wallwart, I destroy it.)
No need to buy these, just take any usb cable and snip the correct 2 wires
I think it's funny how one thinks that damaging the cable sheath just to cut two cables makes one end up with a proper charging-only cable which one would actually like to carry around.
I've seen enough Apple Lightning cables which are damaged near the connector where I always think: what kind of people are these who are okay with this?
I do cut USB cables, but it's for tinkering and not for normal use.
If someone managed to install something like this in a wall plate in an airport, they could be doing far worse things to the airport infrastructure. Homeland Security should be looking for these things, with people plugging testers into USB power outlets. If they talk on the data lines at all, there's something funny going on.
The tweet doesn't say that, it just says that "bad actors" have developed methods of using USB ports for nefarious purposes. Which has been known for over a decade now, but I don't think there's ever been a recorded case of it being done in the wild.
It doesn't seem like the kind of attack that would be easy to hide either, unless accompanied by some zero day that bypasses the accept data transfer prompt.
I admit that the percentage of people that would do that is low, but even at like .1% that's one in a thousand which a public charge station could see hundreds to thousands of users per week. If these were around they'd be spotted.
Many devices do not request data access for an input accessory like a mouse-- and if you gain input you can dismiss the popup instantly in your exploit.
Also, many people might not pay attention to that popup.
Also, 0days exist.
Have you read the thread? Plenty of people are saying this risk is overblown and not to worry. The top 3 comments all express this sentiment.
>and if you gain input you can dismiss the popup instantly in your exploit.
Do you think using a mouse on an unlocked phone would go unnoticed? There's also a fair amount of disagreement over whether a mouse will work without input.
We've had security researchers notice USB device attacks on computers, the same sort of attack except it will likely only hit one person. This kind of large scale attack where thousands have the chance to notice would be observed.
> Do you think using a mouse on an unlocked phone would go unnoticed?
Certainly, it only takes a millisecond.
> There's also a fair amount of disagreement over whether a mouse will work without input.
0days exist.
> the same sort of attack except it will likely only hit one person
Stuxnet alone is known to infect hundreds of thousands for a start, but as usual keep in mind the successful attacks are generally not found out :)
If your concern is zero days, nothing you do with your phone is safe. Making a big deal about this one thing seems silly. A similar thing if your concern is nation states, like in the Stuxnet attack.
safeR. There are no absolutes in security. And not using public chargers totally will.
> A similar thing if your concern is nation states
If you live in the middle of USA you are probably OK but many people live in or near nation states that could totally install juice jackers centrally.
You're also safer if you leave your phone in airplane mode, or better yet off. Juice jacking is possible, but there's no evidence it's been deployed. A zeroclick attack seems like a much bigger threat, and I can't do much against that.
>If you live in the middle of USA you are probably OK but many people live in or near nation states that could totally install juice jackers centrally.
You're missing the point. If your adversary is a nation state, you're already screwed. They have better methods of attack than hoping you need to battery is low in some specific location.
edit let's assume I run a criminal organization and want to effectively use juice jacking. My first step would be to purchase several expensive zero days, and then develop some kind of software to launch it and to assure only phones susceptible to them get targeted, otherwise people will quickly notice something's wrong.
Then I need to get access to real estate in a high traffic area, where I'll need to buy electricity and run some kind of data server. Then I'll need to get people to sift through the resulting data, and the "payoff" is what, banking details or credit cards? Attacking an ATM seems way easier.
The goal is not to eliminate phone use but to use it safer.
> You're missing the point. If your adversary is a nation state, you're already screwed. They have better methods of attack than hoping you need to battery is low in some specific location.
Being individually targeted you'd have to do a lot more, lockdown mode and all that. Juice jacking from a charging device in a public place is a mass attack, and the measure is very simple-- don't use public USB ports.
> edit let's assume I run a criminal organization and want to effectively use juice jacking.
If your criminal organization is also the government then it's a bit easier than what you describe.
> assure only phones susceptible to them get targeted, otherwise people will quickly notice something's wrong
The attacker simply disconnects data if exploit doesn't work right away. Not many people would notice a split second of a popup.
The real estate part is, the rest isn't.
And without the financial incentive the benefit becomes unclear. Presumably spying, but you're either hoping to randomly get a high profile target or needing to trawl through a truly massive amount of data for some unknown potential benefit.
There are better methods of individual targeting and mass surveillance available to the state.
as far as i know, any somewhat recent version of either android or iOS connect in a charge-only mode to any untrusted USB port. if you want to connect in a way that allows data to flow over the connection, you have to accept a prompt in the phone. should i be worried that this system has been compromised?
Personally, I never use public usb ports because I think it is more likely that some jerk has wired up the port to 120V. Circumventing the OS protection to grab my data feels seems less likely than chaotic destruction.
or at least, that's been my experience as an average looking white guy. it's probably not true for everyone.
I don't, because while that's unlikely, what is almost certain is that the port only does charging at the lowest default voltage/amperage, which for at least 5 years now is not enough to charge a smartphone on standby.
Are you sure it block HID as well?
* The risk on any modern phone is close to nonexistent. By default they only charge. You'd need a zero day exploit in the charging function.
* There are no reports of such attacks ever having happened in the wild.
Stop worrying about fake security threats. There are enough real ones.
Are you saying that there are no unfixed exploits in the USB stack ?
Maybe this discussion is too nuanced for HN. Best we just tow the line, and agree that phishing and websploits is the biggest problem and other issues are not worth addressing even when we can.
What's going over there I wonder?
It's like this guy I used to work for. Anytime someone would ask him to make a pdf copy of a document he would print it out, scan it on the copier and email it to himself.
There has to be some of those types over there. This came from their desk.
What you scan is what you get (potentially some information about the scanner too)
That's a pragmatic strategy to ensure that sensitive information isn't leaked.
Other than potentially including useful vector formats of artwork such as seals, logos and signatures, the visibility and/or mask settings can easily hide sensitive information that is trivial to extract later with standard vector editing software.
The print+scan method ensures that the person sharing the file is fully aware of exactly what is being handed over. It also deals with redactions which were not implemented properly.
>Failed redaction reveals Paul Manafort's 'lies to FBI'
https://www.bbc.com/news/world-us-canada-46804127
Moving deeper into just redaction failures:
The American Bar Association even has a topic dedicated to redaction failures, where they list numerous examples of it (including the one above):
https://www.americanbar.org/groups/judicial/publications/jud...
Yet redaction failures are just one of many ways that a PDF can overshare, simply printing and scanning it solves a great many problems. I think it's a good approach for people who aren't tech savvy, especially with longer documents.
1) Print 2) Cut out the parts you want to leave out (blacking them with a market might leave an opening for revealing them via some contrast tweaking) 3) Scan
Easy to explain, easy to implement, easy to remember.
No ot wasn't, it was because he didn't know how to use computers.
Source: https://slate.com/technology/2023/04/free-public-phone-charg...
Edit: just checked - it's indeed possible with Android 14. Connecting a mouse doesn't require any confirmation. As long as the phone is unlocked, you can adjust the USB settings with that mouse.
It's probably safe enough to recharge your battery pack and charge the phone off that, even at the same time if supported.
If you already had it on, you could probably use it own the device pretty quick, but it's not enabled by default.
0: https://support.apple.com/en-us/HT210546
"""To connect a Bluetooth device:
1. Go to Settings > Accessibility, and select Touch.
2. Select AssistiveTouch > Devices, then select Bluetooth Devices.
3. Select your device from the list."""
Is this requirement a very recent change?
(I don't have my own iPad with me right now, but I don't recall enabling AssistiveTouch to get the Logitech keyboard+trackpad working.)
EDIT: I looked online and apparently prior to 13.4 AssistiveTouch was required to use a mouse. But now you don't need it if you only want basic mouse functionality.
My Fairphone 4 with vanilla Android 11 when connected to a USB C monitor will immediately mirror the screen without any sort of notification, so an evil charging port could at least record everything I do, no zero days required.
https://futurism.com/journalist-usb-drive-bomb
https://www.deccanchronicle.com/technology/in-other-news/120...
The fact that this hasn't been exploited in the wild much is good, but doesn't mean that the advice is wrong. Unless the vulnerabilities themselves are all patched it _will_ be exploited in the wild eventually.
Infection is now potentially higher due to increased OTG usage given the removal of MicroSD by many manufacturers. (The removal of the MicroSD has been a damn inconvenience irrespective of the OTG matter.)
https://shop.hak5.org/products/omg-cable
The FBI disagree:
> Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.
I'd rather take advice from them than a random commenter here who has no insight into what's actually happening within the criminal world.
No it doesn't. The line you quoted says such an attack is theoretically possible, it doesn't say it has ever happened. And as another comment mentions, the tweet wasn't some update on things happening, they were parroting an old general practices guide.
I personally just prefer to charge a cheap USB battery so that I can use it for anything that needs a charge. Many of them now also have a flashlight like the phone.
[0] https://risky.biz/BTN46/
Not quite a physical attack anymore if you pwn these remotely.
Granted if the situation in the US is still the same as Europe's rather than China's, it's a nonissue. Last I checked few people there ever used these.
https://www.crowdsupply.com/karoly-simon/usbsafe2