Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The new MacBook's single port comes with a major security risk

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 19 Mar 2015 09:00:04 +0000 (UTC)
http://www.theverge.com/2015/3/16/8226193/new-apple-macbook-usb-type-c-security-risk-badusb

By Russell Brandom
The Verge
March 16, 2015
After years of development, USB Type-C is making a very big debut. Last week, Apple announced its new MacBook would come with just a single Type-C plug for both power and data, a move that allowed for the slimmest MacBook ever. A few days later, Google unveiled the new version of its flagship Chromebook Pixel with the same Type-C port. To the extent that hardware components can have a moment, USB Type-C is having one.
But while the new port is powerful, it also comes with serious security problems. For all its versatility, Type-C is still based on the USB standard, which makes it vulnerable to a nasty firmware attack, and researchers are also concerned about other attacks that piggyback on the plug's direct memory access. None of these vulnerabilities are new, but bundling them together with the power cord in a single universal plug makes them scarier and harder to avoid. On a standard machine, users worried about USB attacks could simply tape over their ports, but power is the one plug you have to use. Turning that plug into an attack vector could have serious security consequences.
The biggest concern is the BadUSB vulnerability, first published last year. The attack lives in the firmware of a USB device and infects computers during the earliest stages of the connection, long before users get a chance to see what's on the device or decide whether to open it up. We know how to protect peripherals against the attack — certain USB sticks have already built in protections against firmware infections — but computers are much harder to secure. USB is built for compatibility, so there are very few peripherals a computer won't accept, even if the peripheral ends up spreading malware. Apple's reportedly allowing for third-party chargers and battery packs under its Type-C implementation, opening even more vectors for infection. (Apple did not respond to a request for comment.) In the case of BadUSB, that means it's easy for a bad actor to put together a USB device that will spread the virus every time it's plugged in. 

[...]


--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
Previous By Date Next
Previous By Thread Next

Current thread: