Possible Security Implications of USB PD
The new USB PD specification upgrade from USB 3.0 would allow the tech to deliver an incredible 100W of power. There are some pretty incredible implications for this, including the ability to safely wire and re-wire room lighting and other low-power applications without an electrician’s help. But the problem is data and power in the same USB cable will also have some intense security implications – if you can’t charge your laptop without connecting it to an untrusted data-source, there’s a lot of room for error and potential security breaches.
There are USB 2.0 power-only cables that will short out the data-wire, and I wonder if this issue couldn’t be solved by having a power-only USB port on the back of your laptop for charging. Then again, I would ask why people would even bother with such a laptop, or if they would demand the convenience of being able to use any port for charging or data. But I have one concern that hasn’t really been addressed. USB cables carry both data and power, we already know that. So, when you plug your device into a USB distribution system, whether it’s a laptop or phone, you’re plugging it into a network.
On top of that, there are many cases of computers being infected with malware through their USB ports. There’s no doubt that it took some fairly good social engineering to get an infected USB flash drive into a computer in an Iranian nuclear facility. But it wouldn’t take much social engineering at all, just a lunch appointment or an interview, to plug a malware infected flash drive into the USB power distribution system at some future office complex. You might not even need access to the business you wanted to attack if power distribution is shared between different buildings in an industrial park.
For the more tech cautious of us, we’d probably go along with an epoxy in their USB ports. But epoxy won’t work if that USB port is your only way to charge your laptop. But the epoxy technique will not actually work if that USB port is your only way to charge your laptop. Basically, we’re going to need much stricter discipline than epoxy if USB is to become a power distribution standard. More than anything, we will need to be confident that there aren’t any backdoors into our system. A quick Google search is scary indeed, and the NSA is the least of our worries. Can we keep our data, and our systems, safe? Only time will tell.