USB-C and BadUSB attacks: What you need to know
Apple announced the new MacBook with USB-C connector last Monday and already headlines are appearing linking it to known security issues, like BadUSB.
BadUSB is an attack that uses the way computers interface with the universal serial bus (USB) standard to try and load malware onto the machine. It’s a longstanding issue with USB in general, and nothing specific to Apple or the MacBook’s implementation of USB-C. Throwing Apple and a hot new product under the headline bus is a great way to get attention, but what’s really going on?
BadUSB is a concern for anyone that has USB port on any computer from any vendor. It’s theoretically possible for an attacker to set up malware on any USB device. That’s why you shouldn’t just grab cables or thumb drives or other peripherals from people or places you don’t know, especially if you have any reason to believe you might be a target.
The reason BadUSB is getting renewed attention for USB-C is that, on new products like the MacBook and the Chromebook Pixel, USB is also the charging port. So, BadUSB has a larger attack surface. (You’ll always be plugging into USB, not into something else like AC power or DisplayPort.)
Convenience exists in opposition to security. We know this. USB-C comes with all the advantages of being a standard, and all the disadvantages as well. Neither Apple nor Google nor anyone else can build in their own protections at the hardware level without violating the standard or potentially breaking compatibility.
Vendors, including Apple and Google, might need to adopt something like the iOS “Trust this Computer” prompt for OS X and Chrome OS. The trust prompt, which grew out of similar attacks, called Juice Jacking, means an external USB device can’t exchange data with the computer unless and until the person at that computer gives express permission for it to do so.
In the meantime, if you’re at all concerned about BadUSB, buy your own cables, adapters, and devices, keep them safe, and don’t use any cables, adapters, or devices you don’t absolutely trust. Don’t be scared or made to feel paranoid by overly sensational headlines. Be informed and avoid situations that could, even potentially, put you at risk.
Nick Arnott contributed to this article.
<!–*/
<!–*/
<!–*/
.devicebox
background-color: #5CB8DB;
border: 1px solid #E2E9EB;
float: right;
display: block;
margin: 0 0px 10px 10px;
max-width: 350px;
overflow: hidden;
width: 50%;
.devicebox h3
background: #8D98BD;
color: #fff;
font-family: “camptonmedium”,sans-serif;
font-size: 20px;
margin-bottom: 0;
margin-top: 0;
padding: 0;
text-align: center;
.devicebox h3 a
display: block;
line-height: 30px;
padding: 0 10px;
.devicebox h3 a:hover
background: #7e88aa;
text-decoration: none;
.devicebox .video
margin: auto;
border: 0px;
.devicebox p,
.entry-content .devicebox p > img,
.devicebox img
margin: 0px;
max-width: 100%;
padding: 0px;
.devicebox,
.devicebox a,
.devicebox a:active,
.devicebox a:hover,
.devicebox a:link,
.devicebox a:visited,
.devicebox p,
.devicebox ul,
.devicebox ul li,
.devicebox li
color: #fff;
.devicebox a:hover
text-decoration: underline;
.devicebox p,
.devicebox ul,
.devicebox ul li,
.devicebox li
border-width: 0px;
font-family: “camptonlight”,sans-serif;
font-size: 16px;
padding: initial;
.devicebox ul
margin: 0;
padding: 0.5em 1em 1em 30px;
.devicebox ul li
display: list-item;
.devicebox ul,
.devicebox ul li,
.devicebox li
line-height: 24px;
list-style: disc outside none;
.devicebox ul li:before
display: none;
.devicebox p ~ p
padding: 0px 15px 15px;
line-height: 1.25;
.devicebox p:first-of-type + p
padding: 15px;
.field-items p:last-of-type + .devicebox,
.slide p:last-of-type + .devicebox,
.article-body-wrap p:last-of-type + .devicebox,
.field-items p:last-of-type + .devicebox ~ .devicebox,
.slide p:last-of-type + .devicebox ~ .devicebox,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox
float: none;
margin: 0 auto 30px;
max-width: 700px;
min-height: 225px;
position: relative;
width: 100%;
.field-items p:last-of-type + .devicebox .video,
.slide p:last-of-type + .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video,
.field-items p:last-of-type + .devicebox ~ .devicebox .video,
.slide p:last-of-type + .devicebox ~ .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video
bottom: 0px;
left: 50%;
position: absolute;
right: 0px;
top: 30px;
.field-items p:last-of-type + .devicebox .video_iframe,
.slide p:last-of-type + .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox .video_iframe,
.field-items p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.slide p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video_iframe
height: 100%;
padding: 0px;
.field-items p:last-of-type + .devicebox ul,
.slide p:last-of-type + .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ul,
.field-items p:last-of-type + .devicebox p,
.slide p:last-of-type + .devicebox p,
.article-body-wrap p:last-of-type + .devicebox p,
.field-items p:last-of-type + .devicebox ~ .devicebox ul,
.slide p:last-of-type + .devicebox ~ .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox ul,
.field-items p:last-of-type + .devicebox ~ .devicebox p,
.slide p:last-of-type + .devicebox ~ .devicebox p,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox p
width: 43%;
.field-items p:last-of-type + .devicebox h3 + p,
.slide p:last-of-type + .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox h3 + p,
.field-items p:last-of-type + .devicebox ~ .devicebox h3 + p,
.slide p:last-of-type + .devicebox ~ .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox h3 + p
bottom: 0;
left: 50%;
overflow: hidden;
position: absolute;
right: 0;
top: 30px;
width: 50%
.field-items p:last-of-type + .devicebox h3 + p img,
.slide p:last-of-type + .devicebox h3 + p img,
.article-body-wrap p:last-of-type + .devicebox h3 + p img,
.field-items p:last-of-type + .devicebox ~ .devicebox h3 + p img,
.slide p:last-of-type + .devicebox ~ .devicebox h3 + p img,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox h3 + p img
float: right;
height: 100%;
width: auto;
@media all and (max-width: 500px)
.devicebox
float: none;
margin: 0;
max-width: 100%;
width: 100%;
.field-items p:last-of-type + .devicebox .video,
.slide p:last-of-type + .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox .video,
.field-items p:last-of-type + .devicebox ~ .devicebox .video,
.slide p:last-of-type + .devicebox ~ .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video
left: 0;
position: relative;
top: 0;
.field-items p:last-of-type + .devicebox .video_iframe,
.slide p:last-of-type + .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox .video_iframe,
.field-items p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.slide p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video_iframe
padding-bottom: 56.25%;
.field-items p:last-of-type + .devicebox h3 + p,
.slide p:last-of-type + .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox h3 + p,
.field-items p:last-of-type + .devicebox ~ .devicebox h3 + p,
.slide p:last-of-type + .devicebox ~ .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox h3 + p
left: 0;
position: relative;
top: 0;
.field-items p:last-of-type + .devicebox ul,
.slide p:last-of-type + .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ul,
.field-items p:last-of-type + .devicebox ~ .devicebox ul,
.slide p:last-of-type + .devicebox ~ .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox ul
width: auto;
/*–>*/
/*–>*/
/*–>*/
USB-C and BadUSB attacks: What you need to know
Apple announced the new MacBook with USB-C connector last Monday and already headlines are appearing linking it to known security issues, like BadUSB.
BadUSB is an attack that uses the way computers interface with the universal serial bus (USB) standard to try and load malware onto the machine. It’s a longstanding issue with USB in general, and nothing specific to Apple or the MacBook’s implementation of USB-C. Throwing Apple and a hot new product under the headline bus is a great way to get attention, but what’s really going on?
BadUSB is a concern for anyone that has USB port on any computer from any vendor. It’s theoretically possible for an attacker to set up malware on any USB device. That’s why you shouldn’t just grab cables or thumb drives or other peripherals from people or places you don’t know, especially if you have any reason to believe you might be a target.
The reason BadUSB is getting renewed attention for USB-C is that, on new products like the MacBook and the Chromebook Pixel, USB is also the charging port. So, BadUSB has a larger attack surface. (You’ll always be plugging into USB, not into something else like AC power or DisplayPort.)
Convenience exists in opposition to security. We know this. USB-C comes with all the advantages of being a standard, and all the disadvantages as well. Neither Apple nor Google nor anyone else can build in their own protections at the hardware level without violating the standard or potentially breaking compatibility.
Vendors, including Apple and Google, might need to adopt something like the iOS “Trust this Computer” prompt for OS X and Chrome OS. The trust prompt, which grew out of similar attacks, called Juice Jacking, means an external USB device can’t exchange data with the computer unless and until the person at that computer gives express permission for it to do so.
In the meantime, if you’re at all concerned about BadUSB, buy your own cables, adapters, and devices, keep them safe, and don’t use any cables, adapters, or devices you don’t absolutely trust. Don’t be scared or made to feel paranoid by overly sensational headlines. Be informed and avoid situations that could, even potentially, put you at risk.
Nick Arnott contributed to this article.
<!–*/
<!–*/
<!–*/
.devicebox
background-color: #5CB8DB;
border: 1px solid #E2E9EB;
float: right;
display: block;
margin: 0 0px 10px 10px;
max-width: 350px;
overflow: hidden;
width: 50%;
.devicebox h3
background: #8D98BD;
color: #fff;
font-family: “camptonmedium”,sans-serif;
font-size: 20px;
margin-bottom: 0;
margin-top: 0;
padding: 0;
text-align: center;
.devicebox h3 a
display: block;
line-height: 30px;
padding: 0 10px;
.devicebox h3 a:hover
background: #7e88aa;
text-decoration: none;
.devicebox .video
margin: auto;
border: 0px;
.devicebox p,
.entry-content .devicebox p > img,
.devicebox img
margin: 0px;
max-width: 100%;
padding: 0px;
.devicebox,
.devicebox a,
.devicebox a:active,
.devicebox a:hover,
.devicebox a:link,
.devicebox a:visited,
.devicebox p,
.devicebox ul,
.devicebox ul li,
.devicebox li
color: #fff;
.devicebox a:hover
text-decoration: underline;
.devicebox p,
.devicebox ul,
.devicebox ul li,
.devicebox li
border-width: 0px;
font-family: “camptonlight”,sans-serif;
font-size: 16px;
padding: initial;
.devicebox ul
margin: 0;
padding: 0.5em 1em 1em 30px;
.devicebox ul li
display: list-item;
.devicebox ul,
.devicebox ul li,
.devicebox li
line-height: 24px;
list-style: disc outside none;
.devicebox ul li:before
display: none;
.devicebox p ~ p
padding: 0px 15px 15px;
line-height: 1.25;
.devicebox p:first-of-type + p
padding: 15px;
.field-items p:last-of-type + .devicebox,
.slide p:last-of-type + .devicebox,
.article-body-wrap p:last-of-type + .devicebox,
.field-items p:last-of-type + .devicebox ~ .devicebox,
.slide p:last-of-type + .devicebox ~ .devicebox,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox
float: none;
margin: 0 auto 30px;
max-width: 700px;
min-height: 225px;
position: relative;
width: 100%;
.field-items p:last-of-type + .devicebox .video,
.slide p:last-of-type + .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video,
.field-items p:last-of-type + .devicebox ~ .devicebox .video,
.slide p:last-of-type + .devicebox ~ .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video
bottom: 0px;
left: 50%;
position: absolute;
right: 0px;
top: 30px;
.field-items p:last-of-type + .devicebox .video_iframe,
.slide p:last-of-type + .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox .video_iframe,
.field-items p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.slide p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video_iframe
height: 100%;
padding: 0px;
.field-items p:last-of-type + .devicebox ul,
.slide p:last-of-type + .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ul,
.field-items p:last-of-type + .devicebox p,
.slide p:last-of-type + .devicebox p,
.article-body-wrap p:last-of-type + .devicebox p,
.field-items p:last-of-type + .devicebox ~ .devicebox ul,
.slide p:last-of-type + .devicebox ~ .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox ul,
.field-items p:last-of-type + .devicebox ~ .devicebox p,
.slide p:last-of-type + .devicebox ~ .devicebox p,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox p
width: 43%;
.field-items p:last-of-type + .devicebox h3 + p,
.slide p:last-of-type + .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox h3 + p,
.field-items p:last-of-type + .devicebox ~ .devicebox h3 + p,
.slide p:last-of-type + .devicebox ~ .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox h3 + p
bottom: 0;
left: 50%;
overflow: hidden;
position: absolute;
right: 0;
top: 30px;
width: 50%
.field-items p:last-of-type + .devicebox h3 + p img,
.slide p:last-of-type + .devicebox h3 + p img,
.article-body-wrap p:last-of-type + .devicebox h3 + p img,
.field-items p:last-of-type + .devicebox ~ .devicebox h3 + p img,
.slide p:last-of-type + .devicebox ~ .devicebox h3 + p img,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox h3 + p img
float: right;
height: 100%;
width: auto;
@media all and (max-width: 500px)
.devicebox
float: none;
margin: 0;
max-width: 100%;
width: 100%;
.field-items p:last-of-type + .devicebox .video,
.slide p:last-of-type + .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox .video,
.field-items p:last-of-type + .devicebox ~ .devicebox .video,
.slide p:last-of-type + .devicebox ~ .devicebox .video,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video
left: 0;
position: relative;
top: 0;
.field-items p:last-of-type + .devicebox .video_iframe,
.slide p:last-of-type + .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox .video_iframe,
.field-items p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.slide p:last-of-type + .devicebox ~ .devicebox .video_iframe,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox .video_iframe
padding-bottom: 56.25%;
.field-items p:last-of-type + .devicebox h3 + p,
.slide p:last-of-type + .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox h3 + p,
.field-items p:last-of-type + .devicebox ~ .devicebox h3 + p,
.slide p:last-of-type + .devicebox ~ .devicebox h3 + p,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox h3 + p
left: 0;
position: relative;
top: 0;
.field-items p:last-of-type + .devicebox ul,
.slide p:last-of-type + .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ul,
.field-items p:last-of-type + .devicebox ~ .devicebox ul,
.slide p:last-of-type + .devicebox ~ .devicebox ul,
.article-body-wrap p:last-of-type + .devicebox ~ .devicebox ul
width: auto;
/*–>*/
/*–>*/
/*–>*/
AIVAnet 