Ask HN: Why do laptop chargers have data wires?

17 points by PrimaryAlibi 3 months ago

Chargers should only charge, there shouldn't be any data transfer. When it comes to security, we should not give something more privileges than it requires to do its job. Why do laptop chargers have data wires?

Maybe you have heard of usb condoms? It's a usb-c to usb or vice versa adapter where you modify it by removing the data wires which are on the sides. Then there is only power. Why don't the charger manufacturers do this themselves and remove the data wires if there is no purpose for them? It creates an unnecessary security risk by having the data wires.

What are your opinions on this? How do you approach this security threat? Or do you not do anything about it at all?

jitl 3 months ago

The marginal happiness for 1% of security nerds would be vastly outweighed by frustration for 99% of people who don’t care.

I don’t want a bunch of broken fake USB-C cables lying around that work for slow charging only and will totally fail when used with my mouse, keyboard, running an external display, etc. I get these kinds of USB-C cables from time to time in boxes with mediocre gadgets and throw them out! Anker’s whole brand was originally based on testing USB cables to weed out the broken ones after all.

What is the threat model here anyways? My approach to security when charging my devices is:

1. Use my own charger and cable

I am not worried about my power supply brick getting pwned by a rootkit delivered via the airplane’s AC power mains and then that pivoting to my laptop.

So is the threat that my power brick got pwned on its way from the factory to me?

  • DanielHB 3 months ago

    My inlaws were trying to transfer files to a PC from their phones with one of these non-data cables. Even my somewhat tech-savy partner didn't know non-data cables.

    I taught them the trick about feeling the cable stiffness, I showed them a type-c cable without data vs one with data vs thunderbolt3 type-c. They just couldn't understand why it wasn't working until I showed them there was a physical and tactile difference in the cables.

    • thedanbob 3 months ago

      Wild that the best way to tell what kind of USB cable you've got is the equivalent of knocking on a melon to see if it's ripe.

    • freehorse 3 months ago

      In usb-a cables you can actually see the pins themselves missing looking into the connector from the outside; in usb-c not so much (or at least i could not really see anything there). I could never figure out how to determine a no-data usb-c cable, though I have only even seen one anyway.

      The problem with stiffness etc is that there is already a lot of variability on usb-c cables, though there could definitely be something there that I just did not notice.

      • SAI_Peregrinus 3 months ago

        I just bought a tester from Treedix. It's a small board with a bunch of USB connectors (host side has 3.0 A, 2.0A, C, device side has micro-B, lightning, mini-B, 3.0 micro-B, C, and 3.0 B), a CR2032 coin cell, and a bunch of LEDs that light up when there's continuity for that link. So you can see when a cable has a USB-C connector but only USB-2.0 D+ and D- lines and CC vs one with the extra differential pairs. Faster than trying to mess with a breakout board & a multimeter.

  • freehorse 3 months ago

    I assumed that the threat model includes been given a power brick that is already pawned (maybe has some chip with GSM access and somebody is gonna hack your computer through it or sth, or exploits some unknown zero day). And I would assume that is nation state level of a threat, either a supply chain kind of attack or more targeted.

    Personally I have come accross no-data usb cables which I hated, but i see no reason to carry such a cable with me and then carry extra usb cables for data transfer. I am happy enough that the multiple cable problem is mostly solved and I still remember and by no means miss the days that I had to carry a separate charger and associated cable for each device, plus possibly other cables to connect stuff together.

gnabgib 3 months ago

The USB standard only allows 7.5W (5V @ 1.5A) of power. By negotiating over the data lines, the supplier and consumer can agree to higher amperage and voltage (up to 100W in USB3, 240W in USB3.1) - but you need data lines for this feature.

Some USB condoms include a chip to do this negotiation (with the other device) for you - but you still have to trust the chip.

You may very well have experienced this with a very basic USB cable (with just the power lines) - people call them cheap or bad quality, but because of the lack of data lines - only 7.5W can be delivered.

https://en.wikipedia.org/wiki/USB

  • mrb 3 months ago

    This is incorrect. USB power delivery does not need the data lines. Negotiation happens over the CC line and Vbus line:

    "A power-only receptacle Upstream-Facing-Port might only have VBus, GND, and CC pins populated, because they do not need the data transfer capabilities" source: https://acroname.com/blog/breakdown-all-power-delivery-types...

  • dragonwriter 3 months ago

    > The USB standard only allows 7.5W (5V @ 1.5A) of power. By negotiating over the data lines, the supplier and consumer can agree to higher amperage and voltage (up to 100W in USB3, 240W in USB3.1) - but you need data lines for this feature.

    Per the USB 3.1 power delivery spec [0] all communications related to power delivery occurs over the CC wire (with roles chosen according to Vconn), the data wires are not involved.

    [0] https://www.usb.org/sites/default/files/USB%20PD%20R3.1%20V1...

  • PrimaryAlibi 3 months ago

    So the charger won't work without the data wire and it could destroy the laptop. It's so crazy because I've seen in these tech communities people saying it's recommended to cut the data wires and everyone is upvoting it. I guess that's another popular misconception going around that it's generally fine to cut a data wire.

    • gnabgib 3 months ago

      The charger will work, just at a low/slow power. No destruction, unless it's non-conformant (the source should only increase the volts/amps if it detects the correct signalling from the drain... and this should is defined in the USB certification specs).

      You may want to charge without a data-wire, or use a cable with a correct power-negotiation chip if you don't know/trust the source (eg a charging nook in a library/school/bar/airport.. anywhere public). Some devices are very trusting of power sources, or have been (security is improving, modern phones require unlock before they even acknowledge they accept/send data).

      • nucleardog 3 months ago

        > You may want to charge without a data-wire, or use a cable with a correct power-negotiation chip if you don't know/trust the source (eg a charging nook in a library/school/bar/airport.. anywhere public).

        There's an alternate charging interface you can use that's pretty widely available and I'd highly recommend--the 120/240VAC outlets all over the place!

        Yeah yeah, I'm only half kidding. If you're going out to the bar you're probably not gonna shove a USB charger in your pocket. But in most of the rest of those situations (library, school, airport) and more you _probably_ have a few things you're carrying with you. Just leave a small adapter and cable rolling around the bottom of your bag and you don't have to worry about this. (Or at least you're into the realm of _wildly_ theoretical attacks.)

        This doesn't just avoid the potential security issues... A lot of those charging lockers and things are not exactly well designed or well engineered. If you use your own charger you also know some weird cheap out-of-spec setup isn't going to damage your phone and there won't be any incompatibilities with the charger/cable/device that leave you charging at 7.5W.

      • Faaak 3 months ago

        USB PD without signaling won't work. It wont supply the needed voltage (e.g. 19V), and the laptop won't charge

        • yread 3 months ago

          Is that true? I have a cable here that I use to charge my laptop with 65W PD but it doesn't make a data connection. Does it do some black magic?

          • Kirby64 3 months ago

            There’s data, but then there’s also the “CC” pins. CC is mandatory for USB-C. It is what does the communication for PD. So, it’s data, but a very specific type of data.

          • cesarb 3 months ago

            > I have a cable here that I use to charge my laptop with 65W PD but it doesn't make a data connection. Does it do some black magic?

            The magic is that USB-C has not one, but _several_ mostly independent "data" connection wires. Chargers normally do not use or care about the USB 2.0 data channel (or the separate USB 3.0 data channel), they only care about the separate "configuration" channel used for USB-PD negotiation; IIRC, according to the standard pure chargers are even supposed to short together the USB 2.0 wires, to signal to older USB B or micro-B devices "I'm a dumb passive charger which can provide more than just 2.5W of power".

            So, if you have a broken cable which does not have the USB 2.0 wires connected (which AFAIK is not allowed by the standard), but has the power and configuration wires correctly connected, it might (or might not) work as a charge-only cable.

    • nixosbestos 3 months ago

      > I've seen in these tech communities people saying it's recommended to cut the data wires and everyone is upvoting it

      Right, and what communities are those, exactly?

    • dragonwriter 3 months ago

      No, the charger will work fine – and at full power. GP is incorrect, the data lines are not used in power negotiation.

    • marcosdumay 3 months ago

      The data lines weren't used for charging until fairly recently.

      Al of those people may not be up to date, or you may be seeing old discussions.

      • cesarb 3 months ago

        > The data lines weren't used for charging until fairly recently.

        Several proprietary protocols (like Quick Charge) used the data lines to negotiate the power and voltage, then USB Battery Charging standardized a way to indicate being a charger through the data lines, and that was all before USB-C. So unless you were satisfied with very slow charging, the data lines were always necessary.

eternityforest 3 months ago

It tells the laptop how much power is available. And with USB-PD charging it is used for voltage negotiation which removes the risk of destroying a laptop with the wrong voltage charger, while still allowing chargers to be swappable and interchangeable.

I believe they adapt charging speed to available power in some cases. Without the data pin, what if you wanted to make a a car charger, but the cigarette lighter couldn't support enough current for a full power charger? Or what if you wanted an ultra portable charger?

It's a useful feature for a pretty small extra risk.

acdha 3 months ago

There are two things to remember: one is that “juice jacking” is an urban legend hyped up by gullible police departments since the 2000s which just doesn’t happen in real life. Making computing clunkier for everyone doesn’t make any more sense than it does to put roofs over the keyboards in your server room to stop Tom Cruise from rappelling down from the ceiling.

Second, the same risk applies to every other device. Even if we eliminated charger docks and smart charging, we’d still have keyboards, mice, network adapters, storage, MFA tokens, etc. to worry about and that’s why your computer doesn’t blindly trust every device you connect any more. In 2004 you probably could have caused problems by presenting as a storage device with an auto run installer but now all you’re going to get are prompts.

  • dragonwriter 3 months ago

    > There are two things to remember: one is that “juice jacking” is an urban legend hyped up by gullible police departments since the 2000s which just doesn’t happen in real life.

    Its kind of like the magic aura-of-intoxication of fentanyl, only juice jacking is a technically possible and demonstrated capability that approximately never happens in the wild, while magic fentanyl actually is sheer fantasy. But both propagate as ideas by the same mechanism.

gwbas1c 3 months ago

I generally only charge with devices I own:

I charge my laptops with the charger from the manufacturer, where the data cables are used to control voltage and wattage; or from a docking station from the manufacturer. If Apple / Dell are trying to hack me, well, I'm screwed!

I charge my phone with my own charger (wall) and wireless stand that I bought from the manufacturer. If I want to travel light, I charge it with my laptop charger. (Thanks to USB C) Again, I don't think Apple / Dell are trying to hack me.

Other devices are charged with chargers I bought on Amazon. I haven't taken them apart, but I don't think they have some hidden 5G chip that's being used to hack me.

If you're worried about security, _carry your own charger_ instead of plugging into random public USB ports.

---

But, I want to point something out about security: At some point you have to trust someone. If you're nervous, I would stick to a set of chargers that you screen carefully, and carry them with you.

t-3 3 months ago

It's just so convenient to be able to use the same charger for every device, and to use the same port for either charging or connecting peripherals. Is it ideal from a security standpoint? Not at all. Does that matter? Not in 99+% of contexts. Security is just not a real issue for the vast, vast majority of people. Those who really have significant risks to consider should adjust their habits and lives accordingly, but nobody else is going to go back to the days of a different, incompatible, power supply for every piece of equipment.

kj4ips 3 months ago

There's a few cases where this makes sense:

* The laptop supports one or more power supplies, but with different current ratings, and the laptop needs to know how much it can safely draw. (This can be done with passives)

* The charger has dynamic power availability, possibly because it charges multiple devices, and the amount of power available varies with other factors, such as temperature.

* The charger has various output modes available, only some of which align with the device to be charged. Therefore, the two devices must negotiate a common set of parameters.

On the note of USB Condoms, they only interrupt the data lines, USB's power negotiation (nowadays) mostly happens on the power line itself. Though usually, the device's OS (if it has one) has limited/no visiblity to this, and a dedicated port controller handles this interaction, possibly passing higher-level information to the rest of the device.

There are some things that can be done to reduce the threat surface:

* Build the protocol parser as a FSM.

* Formal methods for critical systems.

* Severely restrict the expressiveness of the protocol, particularly any variable-length fields.

dragonwriter 3 months ago

> Why do laptop chargers have data wires?

Charging cables have data wires because then they can be used as data cables, meaning you can pull the end out of the charger and plug it into some other device, since the USB-C port on the laptop that accepts charge is certain to be a dual-role port. If charging cables didn’t have data wires, you’d have to swap cables in this use case.

> Why don’t the charger manufacturers do this themselves and remove the data wires if there is no purpose for them? It creates an unnecessary security risk by having the data wires.

Because then everyone would have to buy additional USB-C data cables, and then (because it is more convenient) they’d use those with the charger anyway, and the only product would be more e-waste. I mean, the charger already is probably going to last much longer than the supplied cable, and eventually people are going to be using a separate cable with it, using a useless-for-other-purposes cable just accelerates that.

And the security risk is from untrusted chargers. For the charger manufacturer, their charger isn’t untrusted. If the buyer doesn’t trust them, they won’t trust them to supply a safe cable whether or not they actually do, so its not even a useful “secure” sales gimmick. If someone has security concerns about the charger manufacturer, they’ll get a power-only cable from a trusted party and use that, there is no benefit to anyone from the charger manufacturer providing a power-only cable except, I guess, for customers for whom the charger manufacturer is a trusted party, who wants a cable they can use with the original charger and also when they are charging from untrusted other chargers on the road, but compared to people who are better served by dual use cables and people who will use a separately-acquired “safe” cable with any charger, that’s going to be a very small audience.

nonrandomstring 3 months ago

> It creates an unnecessary security risk by having the data wires. What are your opinions on this?

That you are correct. It creates no small security risk (as does the overly-chatty relation between batteries and function boards nowadays)

(I am not sure you could produce a battery bomb without a separate back-signal to detonate it)

USB was never a very far sighted show, It's undergone so many revisions to squeeze more transfer of power and data out of it than is good.

There are analogue methods. Current sensing and current limiting circuits are ancient. You can build really sophisticated power supply designs that match supply and sense problems. You can even encode data as a side channel on the power lines themselves. But that would be more expensive and since the separate data lines were already there few designers thought to prioritise security over simplicity and cost.

  • Someone 3 months ago

    > You can even encode data as a side channel on the power lines themselves. But that would be more expensive and since the separate data lines were already there few designers thought to prioritise security over simplicity and cost.

    The security issue isn’t that there are separate data lines, it’s that there’s a data communication channel between charger and device.

    So, encoding data as a side channel won’t fix the security issue.

    • dragonwriter 3 months ago

      > The security issue isn’t that there are separate data lines, it’s that there’s a data communication channel between charger and device.

      Yes, you can only eliminate the security issue by eliminate the functionality requiring communication.

      You can, however, mitigate the security issue and narrow the range of potential attacks by having a dedicated-purpose channel that only is connected to capabilities related to the functionality for which it exists. Security is always a balancing act of how to mitigate the risk associated with desired functionality; shedding functionality is only the optimal solution where the risk outweighs the benefits of the functionality.

  • dragonwriter 3 months ago

    > You can even encode data as a side channel on the power lines themselves.

    USB-C PD standard basically does this (well, on a side channel compared to the main data lines, at any rate.)

    > But that would be more expensive and since the separate data lines were already there few designers thought to prioritise security over simplicity and cost.

    Pretty sure that the reason the pre-USB-C quick charging non-standard implementations that used existing data lines didn’t do so because it was cheaper to build but because it was more useful for users to not have to have special, incompatible cables for charging.

  • KeplerBoy 3 months ago

    It's not about the battery going boom or frying the device. For that you don't need data lines, you could always just put high voltage on the wires.

    The security risk emerges from the fact that the charger might be a usb/thunderbolt device, exploit those interfaces and exfiltrate data from your system. It's absolutely feasible to build such devices, the only hard part is the exploit.

walterbell 3 months ago

USB-PD negotiation can be done before reaching the laptop, using a fixed-function adapter for the desired voltage and current. Then the final leg of the connection can be power-only. This is used to power older laptops via USB-c and barrel connector.

cesarb 3 months ago

I'm assuming you're talking about the newer USB-C laptop chargers, instead of the old traditional "barrel plug" laptop chargers.

The main reason a data connection of some kind is necessary, is because it allows for universal chargers (the U in USB means "universal", after all). The same charger can be used for a laptop charging at 36V and 5A (https://frame.work/blog/framework-laptop-16-deep-dive---180w...), and a phone which cannot tolerate anything above 5V and needs less than 3A. Even old "barrel plug" laptop chargers often already had some kind of data connection (for instance, old Dell chargers, which output a fixed 19V, could tell the laptop whether they are a 65W or a 95W charger, you can see it on the BIOS screen).

And for compatibility, the USB 2.0 wires (the negotiation described above happens on the separate CC wire) are also necessary. The way old USB-A phone chargers told the phone (which usually had a micro-B plug) they're a charger was through the USB 2.0 wires. The standard way of doing that is shorting both USB 2.0 wires together, but there are proprietary alternatives which do something else with these wires. A USB-C charger can charge these old phones through either a USB-C to micro-B adapter together with a USB-C cable, or a USB-C to micro-B cable.

> How do you approach this security threat? Or do you not do anything about it at all?

Frankly speaking, the security threat I'm more worried about is a low-quality or damaged charger accidentally putting unfiltered 127V AC into the USB port. The best way to protect against that threat, which also protects against the "charger is a malicious USB data device" threat you're worried about, is to carry and use only your own high-quality charger, together with a portable surge suppressor (which has a MOV with a fuse).

nixosbestos 3 months ago

you could've typed your exact post title into Google and had the answer faster.

  • acdha 3 months ago

    They could’ve had a wrong answer faster. Google search isn’t deterministic and the current LLM answer at the top for me is half right and half wrong.

    • nixosbestos 3 months ago

      That's one billion percent not what I meant. Wow.

      I just can't man, I fucking can't anymore with the Internet and people's need for everything to be spoon fed and assuming that everyone else has lost all information literacy.

      • acdha 3 months ago

        So … what did you mean? Going by the plain English words, I pasted the title minus the “ask HN” prefix into Google and got a part-wrong answer. Asking here seems to be inline with practicing information literacy since it’s a community where people are more likely to have actual knowledge than some SEO bot, and there’s both attribution and community voting to help when assessing answers.

        • nixosbestos 3 months ago

          You know, the way people used Google and looked things up say a whopping 3 years ago?

          > Why do laptop chargers have data wires?

          I know, it's crazy to think people would like, research topics, be curious about what PD is, maybe skim the wikipedia for a whole 45 seconds, etc.

          But no, apparently just spamming basic questions to reddit and HN is the way we're headed because everyone is used to have these AI-regurgitated crap spoon-fed to them. Or want someone to spell it all out for them because intellectual curiosity is a dying rare thing.

          But hey, we're talking about a person who was reading unspecified communities that were apparently promoting cutting open wires to remove data lines, undoubtledly for "freedom" or "privacy", all seemingly without any context or clue about what they were doing.

          • acdha 3 months ago

            Maybe this would be a good topic for you to hide and move on.

qwertytyyuu 3 months ago

I want to output to my monitor and charge the thing at the same time

pif 3 months ago

> Why do laptop chargers have data wires?

Why should I care?

  • RiverCrochet 3 months ago

    These situations are not very likely but let's let the imagination go wild:

    - A USB charger-looking device could, in addition to charging, perform malicious actions which involve being another USB device. For example, it may pretend to be a keyboard and enter commands without your knowledge.

    - Also from what I can tell here after a brief reading: Intel exposes JTAG functionality over USB ports (https://global.ptsecurity.com/analytics/where-theres-a-jtag-...) and I would think a malicious USB device could freeze the CPU by making the CPU enter probe mode, then dump its RAM through JTAG commands, getting encryption keys and other data if it wanted. As far as transmitting that data: low power Android devices with cellular capability will definitely fit in a charger-looking device. (Heck, there are SD cards with Wi-Fi capability in them.) Hope no one opens it up though.

brudgers 3 months ago

My guess is that in part chargers have data wires for the reasons you fear because there are people with the political capital, money, technical expertise, and motivation to shape consumer facing technologies to the interests of nation states. These people are dedicated professionals and to not achieve the simple things you fear would be grossly unprofessional.

But data cables in USB chargers also provide conveniences to ordinary people (which other comments mention). TANSTAAFL

  • VoodooJuJu 3 months ago

    >TANSTAAFL

    what?

    • andrei_says_ 3 months ago

      “There ain’t such thing as a free lunch” I think?

      Coined by Heinlein in The Moon is a Harsh Mistress.

      • reaperducer 3 months ago

        Coined by Heinlein in The Moon is a Harsh Mistress.

        It's far older than that. At least a 150 years old.

        Bars used to provide free lunches to encourage people to buy more drinks. Often very cheap and salty lunches, like stews or corned beef. This was very common in the 1920's-1940's, decades before Heinlein. It later evolved into just bowls of peanuts or pretzels on bars, though I haven't seen a bar with complimentary beer nuts in years.

        The stew looked like a free lunch, but there's no free lunch because you paid for it in drinks.

        Skimming this link: https://quoteinvestigator.com/2016/08/27/free-lunch/ shows it was in print at least back in 1886.

        • andrei_says_ 3 months ago

          1. Today I learned ;)

          2. I was writing about the abbreviation specifically, which was used in Heinkein’s book.

          • fuzzfactor 3 months ago

            I first heard it in person as advice from people who were born in the 1890's and I think it was something that had been explained to them as children themselves.

            Seemed to me it probably originated in New York City.

            Heinlein was referencing a familiar but cynical saying which is an example that was intended to be kept in mind whether you understood the full implications or not.

      • lizzas 3 months ago

        Oh so not Thatcher. Interesting.