The new Apple MacBook has a number of innovative features, but perhaps the most striking is that it has just one data port: a single USB Type-C port that is also used as the power connector.
It’s new, it’s different, and it could make your computer more vulnerable to cyber attacks.
When USB goes bad
The USB standard was not created with security in mind – as last year’sBadUSB exploit amply demonstrated. Last July, securityresearchers demonstrated that thumb drives containing malware couldbe used to infect computers without their owners ever realizing it. Roughly half of all thumb drives are vulnerable to a BadUSB attack, according to researchers at SRLabs.
USB-C is no more (or less) secure than any of the USB standards that preceded it. But because the single USB-C port on the MacBook is used for so many different purposes, the number and type of devices that could be used to attack your computer just grew. A lot.
“Users can no longer distinguish potentially dangerous inputs such as USB, FireWire, or Thunderbolt from a simple power charger,” says Diogo Monica, security lead at Docker and chair of the IEEE’s Public Visibility Committee. “This means that attacks like last year’s BadUSB will not only continue to be possible, but will actually be harder to avoid.”
For example, your computer could get infected by plugging in a rogue charger, says Darren Kitchen, founder of security firm Hak5, which makes the USB Rubber Ducky thumb drive used by corporations to test their internal security. USB Rubber Ducky works by convincing a computer it’s actually a keyboard, then it launches an automated attack that takes over the machine.
“There’s a lot of room to embed stuff in a modern power brick,” says Kitchen. “You could install hardware that injects keystrokes into the computer to copy data off your hard drive, then transmit it via a WiFi or 4G chip. Or, if you’re the NSA, you install a retro reflector and blast it with radar from a black van parked down the street.”
The downside – from the attacker’s perspective, at least – is cost. Turning a standard power brick into sophisticated spying device can get expensive, which is why you’re unlikely to see anything like this in the bargain charger bin at Amazon or Alibaba.
If such devices do arise, they’re likely to be employed in sophisticated targeted attacks targeting high-profile individuals, says Steve Santorelli, founder of security consulting firm Team Cymru and a former investigator for Scotland Yard.
“What I’d fear is that either a nation-state would replace your charger with one that has additional ‘features’ to assist their information gathering, or a charger that might have some firmware that could be attacked and used to sniff your traffic somehow,” says Santorelli. “There’s a lot of precedent for this class of attack with cheap DSL router firmware being altered without the end user’s knowledge or permission.”
Remember: The Stuxnet virus was delivered via a rogue USB thumb drive left for some unsuspecting Iranian nuclear engineers. The next thing Iran knew, its uranium centrifuges shook themselves to pieces, delaying its march to joining the Nuclear Club by several years.
Type C infections
So why doesn’t Apple fix this? Because it can’t – at least, not without making its computers incompatible with hundreds of millions of USB devices in the wild, notes Monica.
“The main problem is that USB is an open standard, and it seems to have had no security considerations at design time,” he says. “This means that no single company can change the way USB works. Apple can’t simply build in their own protections without violating the standard or potentially breaking compatibility with devices.”
And it’s not just Apple. USB-C is expected to become the primary port for millions of other devices. The good news is that your odds of becoming a victim of a rogue, malware-laden, spy-agency-crafted USB-C device are currently rather slight.
Still, if you do get nailed, that’s not much comfort. But there are a few things you can do to avoid it.
One is to only use USB-C devices from vendors that you trust and not buy the cheapest charger or hub you can find online. That means you will likely pay more for them (especially if you buy them directly from Apple). It also means you should avoid using cables and hubs conveniently left in public places like airport lounges or WiFi cafes.
You could also a device like SyncStop, which plugs into a USB port and deactivates its data pins. SyncStop (formerly called USB Condom) allows you to charge your device but blocks information flowing to or from your computer. At press time, however, SyncStop did not offer a Type-C compatible dongle.
Otherwise, the advice is pretty much the same as for any potential cyber threat: keep your OS, browser, and anti-malware software up to date, and don’t do anything stupid, says Robert Siciliano, online safety expert for Intel Security.
“Just as you would never pick up and chew on a discarded piece of gum, you should never plug an unknown device into your machine,” he says.
Send email and less disgusting metaphors to Dan Tynan at ModFamily1@yahoo.com.