USB cables can do two things:

1) Send power.
2) Send data.

The way your computer knows if you’ve plugged a mouse, a keyboard, a drive, etc. into it is (2). When you plug a device into a USB port, it tries to send a standard, “What kind of device are you?” message over the data lines. Normal, not-malicious devices respond with information like, “I’m a mouse!” and your computer uses that information to figure out how to further communicate with it.

Even devices that only want to charge over USB sometimes use the data lines because they might support fast charging or other things that draw more power than a “normal” device. So they respond to, “What kind of device are you?” with “I’m not really looking for a relationship, I just want to charge with this many volts.” etc.

The part of the USB charging station that may work with the data lines is called “the controller”. A malicious person will make a controller that does not follow the standards USB devices are supposed to follow. It may start with, “What kind of device are you?” just to see if it gets an answer back like, “Oh hi, I’m a Windows laptop, just looking for a charge.”

That’s when the controller starts to do bad things. *Which* bad things are hard to describe. But imagine if you tried to call Pizza Hut to order a pizza, the person answered the phone, you said you wanted to order a pizza, then they screamed into the phone for three solid minutes. Would you expect that? How would you react? It’s hard to say because it’s so weird it’d probably knock you off your game.

That’s how “attacks” on software work. Attackers try to figure out a way to send a message to programs that the programs do not expect. If the programs do not expect it, the programmers may not have written code that handles it very well. If they handle it badly in very specific ways, it can leave the program open to attack. One super common way things go wrong is a “buffer overflow”. That means that the laptop may only expect to get a message that’s up to 128 bytes long, but the malicious controller sends one that’s 2048 bytes long. If the program handles this badly, it’ll try to store all 2048 bytes and the extra bytes might overwrite other bits of memory. Then the attacker may know a complicated dance that allows it to trick the laptop into treating the “extra” memory they wrote as code to execute. That code will usually do something *else* the laptop doesn’t expect that tricks it into running *other* code, and eventually after jumping through a lot of hoops the laptop has been tricked into installing and running malware without the user’s permission.

That’s why there are devices known as “data blockers”. They’re little USB adapters that don’t even have the data lines. So if you plug them into a public charger, when the malicious controller asks “What are you?” that never makes it to your device because there’s no connection. In that case, most USB controllers think, “Huh, no response. This must just be a “stupid” device that only charges and doesn’t communicate.” On the downside, that can mean certain fast charging protocols won’t work because your device can’t say, “I’m a phone that wants to charge using up to 60W.”

So that’s why the recommendation is to bring your own chargers and plug into an electrical outlet. Normal electrical outlets and chargers are single-purpose, so even if your charger does use the data lines it was made by a company you trust and isn’t talking to any malicious controllers.