It seems like an almost fatal flaw to use the same plugs for power and data. It would be pretty easy for someone to set up a public charging station full of mal ware and hijack a lot of devices. . Forget security, this design is like keeping your money in an open box on the sidewalk. Why did we decide to only have one plug on mobile devices?
Because it was a royal pain in the ass for each piece of gear to require separate plugs? I remember the 90s pleasantly…but not for that.
It makes the mobile devices mobile, maybe?
Bob
If you are concerned, there are USB Condoms (seriously) available.
USB has been common since 1998, if this was such a “fatal flaw” then I’d expect it would have become a problem long before now.
By the way, there is a term for this, it’s called “juice jacking.”
That sounds more like a fatal flaw of public charging stations than a fatal flaw of USB.
Wouldn’t this break newer smartphones that communicate with the host to request more power?
Normal USB is 5V * 900mA, but newer devices can request up to 20V after negotiations with the charger.
This isn’t a threat on iOS, as soon as the phone sees a USB connection attempt from an unknown device it puts up a prompt asking you if you trust the device or not. Doesn’t Android do the same?
It means it would charge at standard USB rates like they do with any other non-specific charger.
The simple answer to the OP is - Yes.
USB exploits come in a range of flavours, but they most certainly exist.
The trivial ones don’t work for the most part with modern devices. The days of placing an autorun file in a USB file system and pwning the machine are long gone. USB is a very simple protocol, and in general, it needs active action on the part of your device to have communication work. But the continuing pressure on device makers to have their devices work with little to no action on the part of the owner with all manner of new things always tends to push them to not push securtiy as much as they might.
But where USB gets bad is when concerted attacks are made on the USB controller itself. There are a number of controllers made - although most are now sold as IP blocks by the designers and are simply added to the die along with heaps of other devices. Many USB controller designs are both very smart, and contain (or probably contain) flaws. All the usual attacks are possible - buffer overruns, timing violations, protocol violations. Controllers were designed with the idea that they would only talk to other controllers. Security was not part of the design brief. So it becomes technically possible to breach security on the USB controller itself. Worse, some controllers provide the capabilities needed to install persistent breaches within themselves. So even a total wipe of the affected device won’t clear the infection.
The breach could occur in milliseconds of you plugging your device into the charging port. Personally I would never use a public charging port. I am a bit paranoid that way.
There are devices that turn your connection into a power only connection, for example http://syncstop.com/ If I was routinely using public USB ports I would definitely get something like this. The attacks aren’t common enough to kill public USB charging, but definitely exist.
Almost all USB devices use 5V only - anything else is still pretty exotic these days.
Because it’s a pain in the arse to have different power plugs for all different devices and then carry a another set of cables with you for the data transfer.
Also, it reduces the amount of plugs your device needs, especially if there’s one, that does almost everything.
There are cables, that charge only, if you are concerned about it - my solution is to just use a battery pack. If I need to charge it somewhere, I don’t need to worry if their charger gives me dirty power and wreck my devices or tries to copy data from a battery only.
At least with my Android phone, you can also specify how to react to a usb plug-in; for example only allowing it to be used to power the device vice as a media transfer point.
It’s still a threat, though, because it’s unlikely that the code that locks out the USB connection is without bugs.
Doesn’t mean we should go crazy over it, but we should acknowledge it.
It’s also important to remember that USB can handle all sorts of different devices, and a device might not be what it looks like it is. You could, for instance, make a gizmo that looks like a thumb drive, but actually interacts with the computer as though it were a keyboard and mouse, and starts entering input through them.
Tried them but found it was like computing in a raincoat 
So far there is still no exploit known that can “root” or Jailbreak eg escape the sandbox on recent iOS devices. This is not true for recent Android releases on which many Jailbreak exploits are available. There is no known USB controller exploits on iOS devices either.
Known exploits get fixed. It’s the unknown exploits we have to worry about.