USB Data Blockers, have been a common peace-of-mind device. But if you ask someone how they work or what they do, the answers tend to differ. And with so many options, how do you choose the right one?
This writeup is meant to provide these answers. And I would like to offer up another option with what I am calling the "Malicious Cable Detector by O.MG".
What is a USB Data Blocker
A USB Data Blocker is a device that goes between a USB port and a device you need to charge that blocks data transmission over the data lines, but still allows charging.
Why use them?
- to protect your mobile device when charging from an untrusted power source
- to protect your computer from an untrusted device that needs to be charged
- to allow a device to charge from a power source that it is not compatible with
The legitimacy of the security value is not in scope for this writeup. But what is the security value of a device if you do not understand it?
How do they work?
A lot of people believe that you can simply disconnect or remove the data lines of a USB cable to achieve the same functionality of a USB Data Blocker. In reality, this will only work for a very limited number of USB devices. Most devices look for some basic signal on the data lines to know how much power they can pull from the power source. So, a USB Data Blocker needs to be able to send this signal to the device requesting power. There are tons of different possible signals because of the various "standards" and proprietary signals chosen by different manufacturers. If you want to know more, this is a good reference. In general, the signals are basic: shorted data lines and/or a specific voltage applied to the data lines.
For simplicity, there are 3 main types of USB Data Blockers when it comes to the signal:
#1. Data Lines Shorted Together
- This is a very simple design and it is the single most compatible signal. However, the negative is that it will supply the least amount of current. (longer charge times)
#2. Single Charging Signal Using Resistors
- A design that requires only some extra resistors and allows higher charging current. However, it is not going to be compatible with as many devices.
#3. All Charge Signals With A Controller
- A small charge controller is added that will automatically provide the optimum signal for the device requesting it. The negative is that it is slightly more expensive and has a "black box" talking on the data lines if you have trust issues.
Which one do you want?
#3: a good choice if you want maximum compatibility and maximum charge current.
#1: if you want something with high compatibility but would rather trade charge current for an "easier to trust/audit" design, (assuming you can see the circuit!)
#2 if you want a hybrid of the two with reduced compatibility.
Sadly, most USB Data Blockers do not clearly list which type they are, and many hide their components and construction quality behind enclosures. So, I bought a bunch of USB Data Blockers and tore them open to find out what method they use and what the build quality was like.
Here is a graphic that shows each model torn open along with the type of charging supported and my subjective assessment of the build quality.
For such a simple device, there seems to be a lot of manufacturers who reduced product quality with prices that are just as much (or more!) than the higher quality builds. When it comes to charge signal #1, the PortaPow is the only one who uses this signal in a way that is valuable to the customer. Everyone else that has chosen this signal has done so to reduce the cost of production. The perceived security value in #1 over #3 requires that you are able to inspect the integrity of your circuit. However, the ability to see the construction of your USB Data Blocker is still a positive for all versions. This allows you to ensure nothing malicious has been added inside before you purchased it, or while it was in your possession.
#3 - BadUSB Cables wouldn't be complete without BadUSB Condoms.— MG (@_MG_) January 12, 2018
Tempted to get a run of these made for the vendor area at the next security con. pic.twitter.com/3iNjLqXloW
After seeing my demo video, PortaPow actually created custom connectors that not only remove the data lines from the connector, but also added a cutout to allow you to see that there are no data lines present on the connector! PortaPow definitely has built quality options for both #1 and #3 charge signaling, and at a good price point.
Overall, I really like the offerings from PortaPow due to the effort and quality they put into their designs. For such a simple device, they have managed to continue to improve it. The various generics take advantage of people using cost cutting techniques and deceptive marketing tricks.
What about malicious USB cables? We view Data Blockers as a device that goes between a device and a charging source, but there is also a cable in the middle! Or, what if you actually want to use the data functionality of a cable, but want to check the integrity of the cable?
In 2017 I started working on malicious USB cables. https://mg.lol/blog/badusb-cables/ And the work has inspired others to create their own. Luckily(?), most of them are fairly easy to spot by just looking at them. They tend to be significantly thicker than legit cables. However, the O.MG Cable and O.MG Keylogger Cable are the only ones that physically match the real thing down to the millimeter. The cables by O.MG also implement various types of stealth that makes them difficult or impossible to detect (until the attacker wants you to) if you are relying on host-based detections. The O.MG Keylogger Cable uses fully passive interception so not even timing analysis of the data lines will help. There are other malicious cables that never use the data lines because they are used to physically track the target. And the NSA has had their own malicious USB cables since at least 2007, as we saw with COTTONMOUTH. Later, COTTONMOUTH would inspire the creation of TURNIPSCHOOL in 2015 by Michael Ossman, Dominic Spill, and Jared Boone.
So how do you detect them? While building the programming and testing jigs for the O.MG Cable, I realized that I had inadvertently built a detector! I took that initial design and built it into the "Malicious Cable Detector by O.MG". I also added Data Blocker functionality using signal #1. Now you can validate the cable before you use it! Security is always a cat and mouse game. No defense is perfect. But the Malicious Cable Detector will detect all of the currently available commercial malicious cables and clandestinely built cables that I could get my hands on.
I have made the Malicious Cable Detector available on Hak5's store here: https://shop.hak5.org/collections/mischief-gadgets/
You can watch the intro video here: