Your phone trusts anything you plug into it. Not “trusts” in the sense that it has a security model for USB devices. “Trusts” in the sense that it has no security model for USB devices at all.

Plug in a USB cable and your phone immediately asks: “Are you charging? Are you transferring data? Which one?” The answer is always “yes” to both, because the USB spec was designed in an era when the biggest threat was a slightly underpowered wall wart from 2009.

The Flipper Zero

The Flipper Zero is a multi-tool for hardware hackers. It does RFID, NFC, sub-GHz radio, infrared, GPIO, and USB. The USB mode is called “Bad USB” and it works by presenting itself as a HID keyboard to the host device. The host sees a keyboard, the OS loads the keyboard driver, and the Flipper starts typing.

Fast. No prompts. No “do you trust this device?” The whole thing takes milliseconds.

The Bad Charger

Here’s the experiment: take a USB-C cable, cut it open, wire the data lines to a Flipper Zero, and put it all in a charger body. Now you have a “bad charger” — looks like a regular charger, but when you plug it in, it types commands.

The DuckyScript for opening Safari and navigating to wiggels.dev on an iPhone:

GUI h
DELAY 500
GUI SPACE
DELAY 500
STRING safari
ENTER
DELAY 1000
GUI L
STRING wiggels.dev
ENTER

Ten lines. That’s it. Home button, Spotlight, type “safari”, enter, wait, address bar, URL, enter. The whole thing takes about 3 seconds.

Why This Matters

This isn’t about the Flipper Zero. It’s about the fact that HID devices — keyboards, mice, input devices — are inherently trusted by every operating system. The Flipper Zero doesn’t trigger a “Trust This Computer?” prompt, it doesn’t trigger UAS, and it doesn’t ask whether you want to charge or transfer data. It presents as a keyboard, the OS loads the keyboard driver, and it starts typing. No prompts. No dialogs. No user interaction required.

The bad charger works because:

  1. The phone sees a USB device
  2. The device presents itself as a HID keyboard
  3. The OS loads the keyboard driver (because keyboards are trusted input devices)
  4. The Flipper starts typing

The real vulnerability isn’t the Flipper Zero. It’s the assumption that a USB cable is a safe, controlled interface. It’s not. It’s a full-speed data bus with no authentication, no encryption, and no way to tell if the device on the other end is a charger or a keyboard. HID devices bypass every security layer because the OS has no reason to question whether a keyboard is “trusted” — it’s an input device, and input devices are supposed to be trusted.

USB Does Have Protections. HID Doesn’t.

Here’s the part that makes this even more absurd: USB does have security against data devices. The spec includes over-current protection, authentication mechanisms, and OS-level trust prompts. The problem is that none of them apply to HID devices, and the Flipper Zero doesn’t need them to.

When a USB device is detected as a data device, the host has several layers of defense:

Over-current protection is built into every USB port. If a device tries to draw more than 500mA (USB 2.0) or 900mA (USB 3.0), the port shuts down. This prevents a malicious device from frying your motherboard’s power delivery circuitry. It’s hardware-level protection that’s been around since the USB spec was first written.

USB Restricted Mode (iOS 11.4+) disables data connections after the device has been locked for one hour. Your phone charges fine, but the data lines are electronically disconnected via a software-controlled mechanism. This was introduced specifically in response to FBI vs. San Bernardino, where investigators used forensic extraction tools to pull data from a locked iPhone.

Android’s USB debugging permission requires explicit user approval before a connected computer can access the device’s filesystem or run ADB commands.

Windows’ “Trust This Computer” prompt appears when a new device connects via USB data. You have to actively click “Trust” to allow data access.

Apple’s MFi (Made for iPhone/iPad) authentication on Lightning cables requires a cryptographic handshake. Cheap Lightning cables show “This accessory may not be supported” because they don’t have the MFi chip.

All of these protections exist. They’re real. They work. They protect against data devices.

And they’re all completely irrelevant to a HID attack.

Because the Flipper Zero presents as a keyboard, none of these protections trigger. There’s no over-current issue (a keyboard draws ~100mA, well within spec). There’s no “Trust This Computer?” prompt (keyboards don’t need one). There’s no USB Restricted Mode check (the data lines aren’t disabled because the OS doesn’t think a data device is connected — it thinks a keyboard is connected). There’s no MFi handshake (the OS doesn’t classify keyboards as data accessories — it classifies them as input devices, and input devices are inherently trusted regardless of MFi status).

USB Restricted Mode is the killer example. After one hour of being locked, your iPhone electronically disables access to the data pins. You can still charge. But you can’t transfer files, you can’t use ADB, you can’t connect a USB drive. The data path is dead. Unless the device presents as a HID keyboard. Then the data path is wide open, because the OS doesn’t classify keyboards as “data devices” — it classifies them as input devices, and input devices have always been trusted. This is why you can plug a USB keyboard into a locked iPhone and type passwords into the lock screen.

The USB-IF has discussed authentication mechanisms for years, but none have been standardized. The hardware industry keeps selling devices that present as keyboards when you plug them in. And users keep plugging them in because they just want to charge their phone.

What You Can Do

  1. Use a USB data blocker — These are cheap ($5) adapters that physically disconnect the data lines. Your phone charges, but the device can’t type.
  2. Carry your own cables — Public charging stations are the worst. They’re designed to look like chargers but are often data-enabled.
  3. Use wireless charging — If your phone supports it, this eliminates the USB attack surface entirely.
  4. Use a USB-C lockout adapter — These adapters physically block the data pins while allowing power through, preventing any HID device from connecting.

The Bigger Picture

The Flipper Zero is a toy. The real threat is a malicious charging station at an airport, a hotel, or a coffee shop. These exist. Border agents use forensic extraction tools like Cellebrite UFED and GrayKey to pull data from phones at crossings — and the USB trust model is what makes that possible.

This isn’t going to change. Not until someone gets hacked and the story makes the news. And even then, it’ll take years for the industry to care.