Like many of you might have done this past holiday season, I traveled by plane to visit family in another city, and I was struck by a fairly common sight in the airport terminal. There was a charging station to top off your smartphone battery, maintained at a gate by a major US airline. At this particular moment, someone was using it, and given the choice between a USB port and a standard Edison plug (like you have on your wall), the passenger had chosen the USB port. Again – a fairly common sight. Why does thismatter? Well, even if you’re unaware of the bevy of tiny computer options that could be used to try and harvest data from this kiosk or connected devices if a skilled operator were inclined, just consider for a moment the simple choice that was made here. You’re traveling. You have the wall charger with you. You probably had to unplug your USB cable from it anyway. Why not just go with the safer choice – a plug that can only carry power, rather than the one that can carry both power and data? Even if all that’s at stake is the kiosk operator knowing and possibly storing a unique identifier for your device, why reveal that information at all, when you don’t have to?
Well, I expect that the true answer is probably that the general public is not quite as paranoid as the InfoSec community, and even if this passenger is an IT pro, they may think that a charging kiosk in an airport terminal is not a high-priority target for information thieves. Fair enough. But I still found this to be a fine object lesson in the simple, binary choices that we often face when designing and maintaining IT security. Some of these choices will be difficult and expensive, but sometimes, choosing the more secure option is just as easy as the insecure one, and costs you little or nothing.
By maintaining a security mindset, even for the simplest choices, you can help to reduce your attack surface and increase your chances of keeping your hardware and data secure. How would you rate your security mindset?