On Android 12 DP2 devices with a new USB HAL (v1.3), IT admins will be able to disable USB data signaling for security. This mitigates BadUSB and other physical USB-based attacks, such as malicious or fake chargers.
Conversation
and have offered this feature for years, so it's nice to see Google following suit. Unfortunately it doesn't appear to be a user-facing option (yet), but it should be possible to make an app that exposes the setting.
1
28
GrapheneOS has disabled connecting new USB peripherals when locked by default since June 2016. Here's the changelog from the 2016.06.17.11.52.32 release:
gist.githubusercontent.com/thestinger/67e
Threat model is protection once data isn't at rest, so it doesn't ignore devices attached at boot.
1
3
That could be implemented, but it would be pretty hard to make it configurable and it would hurt usability a lot more for little gain.
Picking up devices at boot but not afterwards unless the screen is unlocked remains a nice balance of usability vs. security usable by default.