Power over USB

USB could make power consumption more intelligent, but security concerns need to be addressed.

I’ve been reading about enhancements to the USB 3.0 standard that would allow a USB cable to provide up to 100 watts of power, nicely summarized in The Economist. 100 watts is more than enough to charge a laptop, and certainly enough to power other devices, such as LED lighting, televisions, and audio equipment. It could represent a significant shift in the way we distribute power in homes and offices: as low voltage DC, rather than 110 or 220 volt AC. Granted, 100 watts won’t power a stove, a refrigerator, or a toaster, but in a USB world, high-voltage power distribution could be limited to a few rooms, just like plumbing; the rest of the building could be wired with relatively inexpensive USB cables and connectors, and the wiring could easily be done by amateurs rather than professional electricians.

It’s an interesting and exciting idea. As The Economist points out, the voltages required for USB are easily compatible with solar power. Because USB cables also carry data, power consumption can become more intelligent.

But I have one concern that I haven’t seen addressed in the press. Of course USB cables carry both data and power. So, when you plug your device into a USB distribution system, whether it’s a laptop or phone, you’re plugging it into a network. And there are many cases, most notoriously Stuxnet, of computers being infected with malware through their USB ports. It no doubt took some fairly good social engineering to get an infected USB stick into a computer in an Iranian nuclear facility. But it wouldn’t take any social engineering at all, just a lunch appointment or an interview, to plug an infected drive into the USB power distribution system at some future office complex. You might not even need access to the business you wanted to attack if, as the Economist imagines, power distribution is shared between different buildings in an industrial park.

The most security conscious among us frequently put epoxy in their USB ports. But epoxy won’t work if that port is your only way to charge your laptop. We’re going to need much stricter discipline than epoxy if USB is to become a power distribution standard. More than anything, we will need to be confident that there aren’t any backdoors into our system. A quick Google search is scary indeed, and the NSA is the least of our worries. Can we keep our data, and our systems, safe? History suggests that we can’t.

tags: ,
  • Brian S

    The power on a USB connection is provided by a dedicated line. If the data lines are not connected or blocked then there is no security issue.

    • I_of_Horus

      As I understand it, the problem is when the charger *does* have connected data-lines and uses those for nefarious purposes.

  • RyanE

    Except that it’s likely that the spec will dictate that some negotiation has to take place in order to provide the higher power. Thus, it has to talk to the computer or other device, so you can’t block the data lines.

    • Brian S

      The charger in a portable device is smart enough to look after itself without interacting with the data system. This is already how it works and why I can charge my Playbook from a dumb USB wall wart.

  • RyanE

    Yes, but devices like tablets already do a negotiation with a smart charger to get higher power. I can’t imagine a 100W power providing device would provide a full 100W without negotiation.

  • Brian S

    Power is not pushed from the supply – it’s drawn by the device and a properly designed device will only take what it needs. A 60watt 120volt light bulb has direct access to a lot more than 60watts but only takes what it needs else it would burn out instantly. Problems can occur when a device tries to draw more power than the supply can provide. In that case the (USB) power supply will limit power output to protect itself and the devices will have to deal with that internally.

  • Brian S

    I should clarify that what I’ve been talking about is simply charging a device safely from a public USB connection. This shouldn’t need data exchange. Obviously if there needs to be data exchange the game changes. I for one would welcome a USB high-power/data connection at my local coffee shop. The charging function would be nice but I’m most interested in the potential for better connectivity rather than using the flaky WiFi I currently have to put up with.

  • adamflaherty

    I recall the first bezel-mounted webcams came with a physical switch. For some reason they decided to remove them and everybody just uses post-it notes instead. Cable manufactures are more than capable of implementing something similar, but if they can’t get it together to deliver what people want, you could always go with a USB condom: http://int3.cc/products/usbcondoms

    • Brian S


  • mike

    Sorry, but the epoxy example is simply ridiculous. If you’re security conscious you shouldn’t be running a system with automount/autorun enabled in the first place.

    • dfjdejulio

      The truly security-conscious folks I know take *both* of those precautions. Protects against USB devices other than bug-free dumb storage causing buffer overflows in USB device drivers, that sort of thing.

  • Paul Renault

    20 Amps on a USB connector? Can you spell F-I-R-E? I knew you could.

    • Brian S

      Presumably there will be a voltage increase in the spec to keep the amps reasonable.

    • Mark Aaldering

      The USB-PD specs 5 power profiles, none of which is 20 amps. They are:
      5V@2A (same as USB 2.0); 12V @ 1.5A, 3A, & 5A; and 20V @ 3A & 5Amps.

      The power levels above the existing standard will only be delivered over a new USB-PD cable / connector which is automatically detected. If a new cable is not used, power delivery will be limited to the existing standard of 5V @ 2 Amps.

      As has already been noted, cables that lack the D+ /D- lines used for data transfer already exist.

      USB AC power adapters also already exist that do not have the data lines.

      So where’s the security issue?

  • Arturo

    Google “USB power only cable”. Or buy an, ehem, USBCondom http://int3.cc/collections/frontpage/products/usbcondoms