• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

How secure is 'USB Charging Only' ?

D

Dr_Adequate

Lurker
When my phone is plugged in to my PC it defaults to the mode 'USB Charging Only', and to read files off of it I need to select 'Copy Files'.

That's fine and is exactly what I want. My question is when it's just USB charging, how secure is it? Is there any way for software to read any files on the phone without me knowing?

Reason I ask is I want to plug my phone in at work, into my work PC, to charge it only, and not have my employer be able to see what's on it. So how secure is USB Charging Only?
 
It's secure. Files on your phone aren't visible to the connected computer until you specifically enable file transfer mode on the phone.
 
today said:
But still not as secure as using a wall plug charger.
Click to expand...

True, but don't feed the OP's paranoia ;)
I think the security aspect was the main reason the default behaviour was changed. My N5 used to connect in file transfer mode, and after a system update (can't remember which), the default behaviour changed.
 
Incidentally, if there really is technically a way that files can be viewed or taken from the device when in charging mode, I'd like to know.
 
LV426 said:
It's secure. Files on your phone aren't visible to the connected computer until you specifically enable file transfer mode on the phone.
Click to expand...

Is there documentation or proof of this?
My employer reserves the right to scan any devices plugged in to work PC's (and that's a different discussion than this one). So if I plug my phone in to charge it, and leave it on 'USB Charging Only', and do not select the other options to copy files, or copy photos, can software scanning tools still see what's on my phone?
 
The USB mode on the phone determines what features are advertised to the computer on the other end of the cable and, as a result, what driver the computer will select to use in order to interact with the phone.

In Charge Only mode (with USB Debugging disabled), the device shouldn't appear to the computer at all. The phone prevents no features whatsoever, so the computer doesn't select a driver and thus can't interface on an OS or application level. The only interaction between the two happens at the USB controller level, where the computer and phone negotiate charging rates. That is all that can happen in Charge Only mode.

If you enable USB Debugging, the phone presents itself to the computer as an Android Debug Bridge device - it won't work for drag-and-drop file transfers, but will support adb commands (including those which could enumerate a directory listing and push/pull files to/from the phone) if and only if you also approve the connection on the phone itself.

Only if you select the Transfer Files (MTP) or Transfer Photos (PTP) USB connection modes will the phone's file system be exposed to the connected computer.

I don't know what security tools your employer uses. It may be able to determine that you attached a phone to your computer (since the OS keeps track of all connected devices, whether or not a driver gets loaded) but it will certainly not be able to view your files unless you connect with MTP or PTP modes enabled.

That all being said, please don't do anything to violate your employer's policies. If they prohibit the use of personal USB devices (as mine does) don't push your luck by connecting your phone to your computer even in Charge Only mode.
 
LV426 said:
True, but don't feed the OP's paranoia ;)
I think the security aspect was the main reason the default behaviour was changed. My N5 used to connect in file transfer mode, and after a system update (can't remember which), the default behaviour changed.
Click to expand...

The default USB behavior was changed in Android 6.0 Marshmallow to what it is now.
 
Dr_Adequate said:
Is there documentation or proof of this?
My employer reserves the right to scan any devices plugged in to work PC's (and that's a different discussion than this one). So if I plug my phone in to charge it, and leave it on 'USB Charging Only', and do not select the other options to copy files, or copy photos, can software scanning tools still see what's on my phone?
Click to expand...

There's no shortage of USB hacks and exploits online these days, you can spend hours and hours reading up on them. Here's just a tiny, tiny fraction:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=usb+exploit
https://arstechnica.com/gadgets/2017/02/usb-killer-fry-lightning-usb-c-devices/#p3
https://arstechnica.com/gadgets/2016/12/usb-killer-fries-devices/
https://arstechnica.com/information...uters-badusb-exploit-makes-devices-turn-evil/
https://www.bleepingcomputer.com/forums/t/676026/usb-flash-drive-ransomware-or-malware/
Unfortunately USB itself is inherently not secure, it is by design focused on convenience with the undeniable problem being there are always going to be two opposing aspects -- security vs convenience. Make something more secure and it that takes away from convenience, and vice-versa, with the added issue being most people want convenience even when the result is less security.
It's not paranoia for your boss to restrict USB devices these days, a lot of businesses have to do this now because of the rising prevalence of problems tied to USB. It's not uncommon to see an office setting where all the USB ports are physically blocked so there not even accessible anymore.
https://en.wikipedia.org/wiki/USB_flash_drive_security
Just be aware that changing a setting on your computer or on your phone is all software based, it's simply the operating system enabling/disabling a function. With a USB exploit, it will work at a firmware level so the OS is irrelevant as everything going on in the background at a much lower level.
 
You must log in or register to reply here.
Back
Top Bottom