I'd pay decent money for a small, neat little power-only USB passthrough/condom for peace of mind. Hotel clocks, planes, there's all sorts of places I'd like to charge my phone and every time it feels like a risk.
> It turns out that any device you connect with an iOS via the USB port can obtain your device's Universal Device ID (UDID), as long as the device isn't passcode-locked<p>> The only defense is a very simple rule: don't plug your phone into a charger you don't own<p>These statements seem contradictory to me, unless I'm missing something. Shouldn't it be, "don't unlock your phone while it's plugged into a charger you don't own"? Or are they saying there are still vulnerabilities without the charger getting access to the UDID?
You could alternatively use a USB condom; just a cable with the data lines completely removed.<p>(Well, for an iPhone they'd need to be tied together with a resistor in the other end, but the idea is still the same.)
I was on a BA Boeing 777 the other day and the seat back entertainment system had a USB socket on it for me to plug in my own device.<p>All I could think was (a) why would I do that? and (b) that looks like a security vulnerability.
It is interesting because there was concern about rooted phones, especially for people like me, because I left ADB debug mode on. For the uninitiated, this USB bridge is like a serial connection that can, among a lot of things, open a terminal on the device.<p>The newest versions of ADB mode in Android have settings to address this. But at the time this was a big deal in the Android community (or I should say XDA), one recognized dev developed an app for it.<p><a href="https://play.google.com/store/apps/details?id=com.stericson.adbSecure&hl=en" rel="nofollow">https://play.google.com/store/apps/details?id=com.stericson....</a><p>I am glad all phone platforms are getting wise to these things.
I knew there was a good reason XCode kept telling me it couldn't launch my app as the device was locked. So unless I missed something, if the device is locked this hack doesn't work.
This title is a bit misleading.<p>It should be 'don't plug your iphone into a charger you don't own'<p>the other 90% of us are unaffected by this hack.
Why only those you don't own? For all I know, the north Koreans/Mossad/NSA/Chinese government/... (Pick whoever you want as the villain) could have planted this functionality in every USB adapter Apple/brand X (pick whoever you feel could fall for this) sells.
Instead of carrying a power pack or USB condom and what not, isn't it just easier to carry the charger you trust? After all, it's the untrusted charger you want to avoid, no?
It would be nice if phone manufacturers would simply separate the power and data ports into two. Designers probably cringe at that suggestion because it would interrupt the sleek form factor but isn't it the best possible solution to this security risk?
Wow -- this hadn't even crossed my mind. Regarding Android devices (mine included):<p>Could I just hide a tiny linux OS inside a charger? Then when someone plugs in the device just auto-mounts the SD card and copies away? Is it that simple?
I've always wondered how safe those dirt-cheap USB hubs on eBay are. Seems like a potential attack vector for unsuspecting buyers where you also likely know the name and address of the victim from shipping it to them.
If you can order from Taobao (China) directly, here is the device I bought last week: <a href="http://detail.tmall.com/item.htm?spm=a230r.1.14.27.Op5P4y&id=21996816947" rel="nofollow">http://detail.tmall.com/item.htm?spm=a230r.1.14.27.Op5P4y&id...</a> (not affiliated, around $0.8 USD).<p>Another added advantage in using the device is it can double the current output from my Macbook Air USB port, i.e. from 500ma to 1000ma, so now I can fully charge my Samsung S4 within 4 hrs (as compared to 7-8 hrs previously).
I don't understand the threat.<p>All it does is install a provisioning profile on the device to allow it to install any app it wants, that can make private API calls that would normally be rejected by Apple if they tried to submit the app.<p>So essentially, it allows them to install apps that have the exact same restrictions as apps for jailbroken devices. Or do I have it wrong?
on the subject: <a href="http://www.macobserver.com/tmo/article/apple-fixes-threat-from-fake-iphone-chargers-in-ios-7" rel="nofollow">http://www.macobserver.com/tmo/article/apple-fixes-threat-fr...</a>