This article originally appeared in TidBITS on 2015-03-19 at 6:03 a.m.
The permanent URL for this article is:
Include images: Off

Macs Not Vulnerable to BadUSB Attack

by TidBITS Staff

“The new MacBook’s single port comes with a major security risk,” proclaims The Verge [1]. Gizmodo took The Verge’s story a step further with, “The NSA Is Going to Love These USB-C Charging Cables [2].” So what’s the big deal, and is there any fire behind all this hot air?

These articles are pure clickbait. The main exploit in question, called BadUSB [3], was discovered 8 months ago. In theory, it could be used to attack most USB devices, including Macs, iPads, Windows PCs, and more. But making it seem like the new 12-inch MacBook, and to a lesser degree, Google’s new Chromebook Pixel, has some sort of new vulnerability because of using USB-C is disingenuous at best.

What is BadUSB? It’s a type of attack that overwrites the USB controller on a device — say a USB thumb drive — with malicious code. That compromised device can then attack anything it plugs into by injecting malware, entering keystrokes, or anything else a USB device can do. To work, BadUSB needs to be able to flash the firmware on the target USB device.

Gizmodo seems to believe the 12-inch MacBook is vulnerable to this direct attack, even going so far as to suggest that the NSA will distribute hacked USB-C power adapters designed to take over your notebook. But unlike Thunderstrike on vulnerable Macs (see “Thunderstrike Proof-of-Concept Attack Serious, but Limited [4],” 9 January 2015), the USB port uses Intel’s xHCI (eXtensible Host Controller Interface), which can’t be placed into a DFU (device firmware upgrade) mode to overwrite the MacBook’s firmware. Thus the MacBook itself can’t be infected with BadUSB, so plugging in an unknown power adapter can’t give someone control of your MacBook.

There are other attack vectors, but none are a serious concern. For instance, USB-C supports direct memory access (DMA), which has been used in the past to attack computers [5] since it allows any connected device direct access to the computer’s memory. An attacker could theoretically use a DMA attack to read memory or overwrite memory locations with his own code. However, Macs now use Intel’s VT-d [6], which virtualizes the memory DMA devices can access, restricts them to known memory locations, and prevents a DMA attack from overwriting executable memory and triggering an exploit.

Another vector would be for a BadUSB-controlled device to install malware on the connected computer. But Macs don’t execute files on remote storage automatically, so the user would have to be tricked into launching an app from an unexpectedly mounted drive. That could happen, but seems relatively unlikely.

Lastly, a BadUSB-controlled device could execute keystrokes on a Mac. But this is useful only if the Mac is running, screen unlocked, and the user doesn’t notice or interfere with the string of keystrokes to do something bad. Again, this attack doesn’t seem likely.

We could be missing something, but it looks like The Verge and Gizmodo have it wrong, and USB-C represents no new risk to Macs. The NSA will have to think of something less silly than leaving infected USB-C power adapters throughout the nation’s coffee shops.