USB Type-C: Could new laptop ports be a malware entry point?

When Apple announced the new Macbook, the company took the headline grabbing decision to reduce the number of ports to just a single USB Type-C access point. Apple is not alone, as Google’s flagship Chromebook Pixel will also adopt the port. It will both charge your laptop battery and offer fast data transfer speeds, but what does this mean for security?

BGR raised early concerns noting that there have been USB threats in the past, such as Bad USB (covered by We Live Security here). In the case of current USB sticks though, people are generally more cautious, as the dangers of using an unknown device are well-documented. People are often less aware of the risks posed by untrusted chargers.

“Users can no longer distinguish potentially dangerous inputs such as USB, FireWire, or Thunderbolt from a simple power charger,” Diogo Monica, chair of the IEEE’s Public Visibility Committee told Yahoo News. “This means that attacks like last year’s BadUSB will not only continue to be possible, but will actually be harder to avoid.”

However, the risk shouldn’t be overstated, given the cost of turning a standard power brick into a sophisticated spying device. While it’s possible that hardware could be included to steal data, and even transmit them from the power block, it would be a costly solution for something that – to lure in unsuspecting victims – would have to be cheaper than the official product. To that end, if attacks are done this way, they’re more likely to be extremely targeted at specific individuals.

Still, while the possibility is there, can manufacturers including USB Type-C connectors act to protect their systems? As The Verge points out, it’s actually a lot harder than it sounds, as USB is an open standard. While Apple has had authentication chips into its Lighting connectors, this remains impossible with open standards.

“Combining data and charger ports had made the new MacBook and Pixel faster and more powerful, but the price is an ongoing concern over what devices you trust enough to plug in,” concludes The Verge.

Hadrian / Shutterstock.com

Author , ESET

  • Sven Johannsen

    Isn’t this, or hasn’t this been, a potential issue with mini/micro-usb charging all along? Most tablets and phones use this as both a charge and data port already. The ubiquity of these chargers makes it much more likely that they could be exploited than this ‘new’ option. You might say that the MacBook being a full OS, makes it more subject to exploitation and more likely to have targetable information, but the new MS Surface 3 falls into that same arena, and charges via micro-usb.

  • Android devices had a way of identifying if a USB device they are connected to is a data device or a charger and would show the USB trident if the device is a data device. Then Apple introduced in to newer iterations of the iOS platform a dialogue box that popped up if you connect your iOS device to a different computer. In both these setups, if you plugged them in to a charger, they wouldn’t show an indicator or pop up a dialogue box.

    What could happen is for operating systems to implement a “trusted device” setup which allows you to have control on devices you connect to your computer’s USB port on a data-connection role.

Follow us

Copyright © 2017 ESET, All Rights Reserved.