On Android 12 DP2 devices with a new USB HAL (v1.3), IT admins will be able to disable USB data signaling for security. This mitigates BadUSB and other physical USB-based attacks, such as malicious or fake chargers.
Conversation
and have offered this feature for years, so it's nice to see Google following suit. Unfortunately it doesn't appear to be a user-facing option (yet), but it should be possible to make an app that exposes the setting.
1
28
GrapheneOS has disabled connecting new USB peripherals when locked by default since June 2016. Here's the changelog from the 2016.06.17.11.52.32 release:
gist.githubusercontent.com/thestinger/67e
Threat model is protection once data isn't at rest, so it doesn't ignore devices attached at boot.
That could be implemented, but it would be pretty hard to make it configurable and it would hurt usability a lot more for little gain.
Picking up devices at boot but not afterwards unless the screen is unlocked remains a nice balance of usability vs. security usable by default.
2