Apple announced the new MacBook with USB-C connector last Monday and already headlines are appearing linking it to known security issues, like BadUSB.
BadUSB is an attack that uses the way computers interface with the universal serial bus (USB) standard to try and load malware onto the machine. It's a longstanding issue with USB in general, and nothing specific to Apple or the MacBook's implementation of USB-C. Throwing Apple and a hot new product under the headline bus is a great way to get attention, but what's really going on?
BadUSB is a concern for anyone that has USB port on any computer from any vendor. It's theoretically possible for an attacker to set up malware on any USB device. That's why you shouldn't just grab cables or thumb drives or other peripherals from people or places you don't know, especially if you have any reason to believe you might be a target.
The reason BadUSB is getting renewed attention for USB-C is that, on new products like the MacBook and the Chromebook Pixel, USB is also the charging port. So, BadUSB has a larger attack surface. (You'll always be plugging into USB, not into something else like AC power or DisplayPort.)
Convenience exists in opposition to security. We know this. USB-C comes with all the advantages of being a standard, and all the disadvantages as well. Neither Apple nor Google nor anyone else can build in their own protections at the hardware level without violating the standard or potentially breaking compatibility.
Vendors, including Apple and Google, might need to adopt something like the iOS "Trust this Computer" prompt for OS X and Chrome OS. The trust prompt, which grew out of similar attacks, called Juice Jacking, means an external USB device can't exchange data with the computer unless and until the person at that computer gives express permission for it to do so.
In the meantime, if you're at all concerned about BadUSB, buy your own cables, adapters, and devices, keep them safe, and don't use any cables, adapters, or devices you don't absolutely trust. Don't be scared or made to feel paranoid by overly sensational headlines. Be informed and avoid situations that could, even potentially, put you at risk.
Nick Arnott contributed to this article.
No comments:
Post a Comment