Highlighting the security risks of using USB to charge mobile devices, BadUSB – a class of exploits that can lead to malware infections – was recently in the news. With the adoption of USB-C, concerns are only going to increase. New devices, including the new Apple Macbook and Chromebook Pixel, only have USB-C ports, which means the only way to charge your device is through a data port that could open your computer to attack. This vulnerability is especially a concern if you want to use untrusted USB chargers, like you might find in coffee shops and airports.

One way to stop these attacks is to use a device that physically disconnects the USB data lines, while leaving the power and ground lines connected. This approach has a major disadvantage because devices and chargers use the data lines to negotiate power requirements, usually via the USB Battery Charging specification. Without that negotiation, the device can’t determine what capabilities the charger has. Instead of being able to draw 7.5 W or more, the device can only safely draw 0.5 W, which means it could take 15 times longer to charge your phone with this technique.

Fortunately, there is a way to block the USB data signals and still allow the device and charger to negotiate the correct amount of power. The key is that the power negotiation occurs much more slowly than the data flow: 100 Hz instead of 1 MHz. A capacitor across either of the data lines limits the bandwidth so that the charging negotiation can occur, but traditional USB data transfers are blocked. In fact, the USB specification has a maximum allowed capacitance between a data line and ground for this reason.

Because the difference in speed from USB Battery Charging to even USB Low Speed is so large, there is plenty of room for error. Anything over 75 pF is outside the official USB spec for data. The data lines have a typical series resistance of 33 Ohms which means a 33 nF capacitor will create an RC filter with a time constant of approximately 1 μs. A time constant of up to 100 μs is acceptable for passing USB Battery Charging signals, and under 0.1 μs is needed for USB Low Spped, so a variety of capacitance values will work.

To test my ideas, I ran an experiment. I tried three USB cable configurations and, with each configuration, measured how much power my phone drew and whether or not my desktop recognized the device. I tried the original cable as a control. Then I soldered a 22 nF capacitor between D- and GND. Finally, I cut the D- line entirely. The results are below.

• Intact cable: 9.1 W - Good connection to desktop
• Capacitor installed: 7.4 W - "USB Device Unrecognized"
• D- line cut - 2.4 W: "USB Device Unrecognized"

These results are in line with my expectations. The difference between having the intact cable and having the capacitor installed could result from a difference in battery load. I suspect my phone drew more current than it should have in the third test. It seemed to draw 500 mA instead of 100 mA, which is all that is allowed by the spec. Still, with the D- line connected, it drew significantly less power.

I've designed a small device that incorporates these capacitors, along with some test and debug features, into a small board with a plug on one end and a receptacle on the other. It’s called USB Power Armor. I plan to build prototypes and do further testing this coming week. Here's a preview.

Update: The first units of USB Power Armor Type-A are available for sale now. Click here to get yours.