You can't blame the USB ports entirely... I mean, yes, it's insane he can force requests that trick your machine into dumping unencrypted cookies, but remember this intercepts and modifies unencrypted traffic, which any packet sniffer or upstream provider (router, ISP, et al) can already see/modify.

So even if you follow Samy's recommendation of putting cement on your USB ports, [0] you're still vulnerable to injection and interception.

Moral of the story: encrypt all the things.

[0]: https://github.com/samyk/poisontap#desktop-security

> It's long past time that USB security is taken seriously.

You mean, before we started using USB for charging...?

It wouldn't be hard at all to make a convincing looking power adapter with something like PoisonTap baked in.

You can protect both devices from each other with a USB condom [1] which only connects the power pins. This should be the solution for trying to charge from untrusted slots, or for when an untrusted device wants to charge from you.

[1] http://syncstop.com/#faq-original

Know of any USB condoms that can filter for device types? Given BAD USB type of exploits there really no easy way for me to know that when I stuck my USB stick in the printer at the library it wasn't reprogrammed to be a keyboard or something else and when I then go plug it into my computer it now powns my computer

> By default anything stuck into a USB port should be sandboxed

Yes, suppose you have a mac mini and you plug in USB keyboard, oops it's sandboxed and does not work.

I think the idea is that if a second "keyboard" is plugged in while the machine is locked/asleep, it shouldn't work. Even for the scenario where you dump $BEVERAGE into your keyboard, forcing a hard reboot to be able to plug in another keyboard (and log back in) doesn't seem unreasonable.