Macs Not Vulnerable to BadUSB Attack
“The new MacBook’s single port comes with a major security risk,” proclaims The Verge. Gizmodo took The Verge’s story a step further with, “The NSA Is Going to Love These USB-C Charging Cables.” So what’s the big deal, and is there any fire behind all this hot air?
These articles are pure clickbait. The main exploit in question, called BadUSB, was discovered 8 months ago. In theory, it could be used to attack most USB devices, including Macs, iPads, Windows PCs, and more. But making it seem like the new 12-inch MacBook, and to a lesser degree, Google’s new Chromebook Pixel, has some sort of new vulnerability because of using USB-C is disingenuous at best.
What is BadUSB? It’s a type of attack that overwrites the USB controller on a device — say a USB thumb drive — with malicious code. That compromised device can then attack anything it plugs into by injecting malware, entering keystrokes, or anything else a USB device can do. To work, BadUSB needs to be able to flash the firmware on the target USB device.
Gizmodo seems to believe the 12-inch MacBook is vulnerable to this direct attack, even going so far as to suggest that the NSA will distribute hacked USB-C power adapters designed to take over your notebook. But unlike Thunderstrike on vulnerable Macs (see “Thunderstrike Proof-of-Concept Attack Serious, but Limited,” 9 January 2015), the USB port uses Intel’s xHCI (eXtensible Host Controller Interface), which can’t be placed into a DFU (device firmware upgrade) mode to overwrite the MacBook’s firmware. Thus the MacBook itself can’t be infected with BadUSB, so plugging in an unknown power adapter can’t give someone control of your MacBook.
There are other attack vectors, but none are a serious concern. For instance, USB-C supports direct memory access (DMA), which has been used in the past to attack computers since it allows any connected device direct access to the computer’s memory. An attacker could theoretically use a DMA attack to read memory or overwrite memory locations with his own code. However, Macs now use Intel’s VT-d, which virtualizes the memory DMA devices can access, restricts them to known memory locations, and prevents a DMA attack from overwriting executable memory
and triggering an exploit.
Another vector would be for a BadUSB-controlled device to install malware on the connected computer. But Macs don’t execute files on remote storage automatically, so the user would have to be tricked into launching an app from an unexpectedly mounted drive. That could happen, but seems relatively unlikely.
Lastly, a BadUSB-controlled device could execute keystrokes on a Mac. But this is useful only if the Mac is running, screen unlocked, and the user doesn’t notice or interfere with the string of keystrokes to do something bad. Again, this attack doesn’t seem likely.
We could be missing something, but it looks like The Verge and Gizmodo have it wrong, and USB-C represents no new risk to Macs. The NSA will have to think of something less silly than leaving infected USB-C power adapters throughout the nation’s coffee shops.
I still consider the port a major security risk because I understand you can knock it off a table if you kick or trip over the cable. I can't imagine what goal of simplicity could take priority over the miracle that is MagSafe.
How often has your iPad been knocked off of a table while you were using it plugged in? Hardly ever, because people don't often use an iPad while it's plugged in.
The use case for the new MacBook is that it is so thin and lightweight and has all-day battery life - you would only plug it in to charge when you go to bed, just like an iOS device.
That might be a risk, but it's not a security risk, at least not in the sense the article as addressing.
And I think that with a 9-hour battery life, Apple doesn't intend it to be used while plugged in, just like is true of our iP* devices. (I've never heard a complaint that the iPhone doesn't have a MagSafe connector.)
That's not what "security" means to the rest of us, in such a context.
Also, the idea is that ... you don't leave it plugged in all the time, because it has 8 hours of battery life.
Your comment "We could be missing something, but it looks like The Verge and Gizmodo have it wrong, and USB-C represents no new risk to Macs" is correct.
However, your other comments are not.
The worry about BadUSB is that it attacks the USB controller on your computer.
* Not having autorun on a Mac is irrelevant; the operation happens while the two USB controllers are negotiating. No app launch is necessary.
* You wrote: "Lastly, a BadUSB-controlled device could execute keystrokes on a Mac. But this is useful only if the Mac is running, screen unlocked, and the user doesn’t notice or interfere with the string of keystrokes to do something bad." Again, you miss the point. If your Mac is infected, then *it* can do all these things - when you have unlocked the screen, etc. You don't need the BadUSB device any more; its' work was within seconds of you plugging it in.
In summary, I don't see BadUSB being a significantly worse attack for the new MacBooks, but that doesn't mean it is not a serious attack. The problem is that I haven't seen any way to prevent such an attack, other than "Don't plug in any USB devices"
My understanding is that BadUSB can't infect the USB controllers used on the Mac. I haven't found any examples of direct attack yet, and sources in Apple told me they believe it isn't possible using current techniques.
If I'm wrong, please let me know, but if you look at the BadUSB code/github not all controllers are vulnerable, and some USB drives are known to be protected.
Fantastic article. If you find out more about the possible vulnerability of the Mac USB-C port, it'd be great to see a follow-up piece. We'll definitely post about that on The Loop...
"But Macs don’t execute files on remote storage automatically"
Even ones that people might get tricked into executing (executables with icons that look like pictures or music) get the gatekeeper treatment. (no even remotely impenetrable, for example if the attacker is willing to pay $100 each time Apple notices attacks from that developer ID and revokes one, or if the attacker is willing to only "get" folks that disable gatekeeper, or know how to turn it off "just this once", but don't know enough not to do so for an untested device...)
How about this for a security risk. It's been known for decades that power outlets can transmit data. High bandwidth data across your house or in and out of your house or business. There are no security firewalls on your electrical circuits. And now we have a cute little adapter that transmits video directly over the same cable that will be plugged into your power outlets. Hmmmmmm.
It's not that power outlets can transmit data as such, but that data can be transmitted over power cables by having a modulated carrier signal added to the wiring system. It's called powerline networking.
But it works only if you have the appropriate network adapters on either end of the the connection to encode and decode the signals - without those adapters, there's no way that carrier signal could be read or used in any way.
So no, there's no security risk related to powerline networking and USB-C.
Thanks for the reply, but haha @ Wikipedia as your source.
I think the USB-C port may be acting as the near-side modulator... and who knows who has what listening on the other end.
If you're one for conspiracies, anyway.
Alas for the conspiracy theorists, networking requires carefully designed and installed hardware, and powerline networking even more so than most, since it's operating in the hostile environment of a wiring system designed to carry power, not carrier signals.
Van Eck Phreaking is way more effective than anything you could do over a powerline, and no wires are required. In fact, the CIA has been using it to try and break iPhone encryption.