http://www.theverge.com/2015/3/16/8226193/new-apple-macbook-usb-type-c-security-risk-badusb
By Russell Brandom
The Verge
March 16, 2015
After years of development, USB Type-C is making a very big debut. Last week,
Apple announced its new MacBook would come with just a single Type-C plug for
both power and data, a move that allowed for the slimmest MacBook ever. A few
days later, Google unveiled the new version of its flagship Chromebook Pixel
with the same Type-C port. To the extent that hardware components can have a
moment, USB Type-C is having one.
But while the new port is powerful, it also comes with serious security
problems. For all its versatility, Type-C is still based on the USB standard,
which makes it vulnerable to a nasty firmware attack, and researchers are also
concerned about other attacks that piggyback on the plug's direct memory
access. None of these vulnerabilities are new, but bundling them together with
the power cord in a single universal plug makes them scarier and harder to
avoid. On a standard machine, users worried about USB attacks could simply tape
over their ports, but power is the one plug you have to use. Turning that plug
into an attack vector could have serious security consequences.
The biggest concern is the BadUSB vulnerability, first published last year. The
attack lives in the firmware of a USB device and infects computers during the
earliest stages of the connection, long before users get a chance to see what's
on the device or decide whether to open it up. We know how to protect
peripherals against the attack — certain USB sticks have already built in
protections against firmware infections — but computers are much harder to
secure. USB is built for compatibility, so there are very few peripherals a
computer won't accept, even if the peripheral ends up spreading malware.
Apple's reportedly allowing for third-party chargers and battery packs under
its Type-C implementation, opening even more vectors for infection. (Apple did
not respond to a request for comment.) In the case of BadUSB, that means it's
easy for a bad actor to put together a USB device that will spread the virus
every time it's plugged in.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
