After years of development, USB Type-C is making a very big debut. Last week, Apple announced its new MacBook would come with just a single Type-C plug for both power and data, a move that allowed for the slimmest MacBook ever. A few days later, Google unveiled the new version of its flagship Chromebook Pixel with the same Type-C port. To the extent that hardware components can have a moment, USB Type-C is having one.
Power is the one plug you have to use
But while the new port is powerful, it also comes with serious security problems. For all its versatility, Type-C is still based on the USB standard, which makes it vulnerable to a nasty firmware attack, and researchers are also concerned about other attacks that piggyback on the plug's direct memory access. None of these vulnerabilities are new, but bundling them together with the power cord in a single universal plug makes them scarier and harder to avoid. On a standard machine, users worried about USB attacks could simply tape over their ports, but power is the one plug you have to use. Turning that plug into an attack vector could have serious security consequences.
The biggest concern is the BadUSB vulnerability, first published last year. The attack lives in the firmware of a USB device and infects computers during the earliest stages of the connection, long before users get a chance to see what's on the device or decide whether to open it up. We know how to protect peripherals against the attack — certain USB sticks have already built in protections against firmware infections — but computers are much harder to secure. USB is built for compatibility, so there are very few peripherals a computer won't accept, even if the peripheral ends up spreading malware. Apple's reportedly allowing for third-party chargers and battery packs under its Type-C implementation, opening even more vectors for infection. (Apple did not respond to a request for comment.) In the case of BadUSB, that means it's easy for a bad actor to put together a USB device that will spread the virus every time it's plugged in.
"No solution for BadUSB is in sight even with this new standard."
Type-C has a lot of advantages over previous models, but security experts say it does little to fix the core problems of BadUSB. "The additional openness and flexibility of USB Type-C comes with more attack surface," says Karsten Nohl, one of the researchers who first discovered BadUSB. "No solution for BadUSB is in sight even with this new standard." In part, that's by necessity. USB is an open standard built on backwards compatibility and easy third-party access. You'll need an adapter to plug in old USB devices to Type-C ports, but the old software protocols still work, leaving open the same vulnerabilities. Even giants like Apple and Google need to abide by the rules of the USB standard, which rule out some of the tough sacrifices necessary to securing the standard overall. The result for users is a major security flaw with no easy fix.
In practical terms, that means MacBook and Chromebook Pixel users are now exposed to what you might call a "borrowed charger" attack. The new chargers don't have the firmware needed to carry the BadUSB virus, but it would be easy for an attacker to install it herself, then spend a day in a coffee shop waiting for some unsuspecting target to plug in. From there, the bug would spread to every compatible device the target plugged into. Nearly everyone with a laptop has shared a power cable at some point — compared with the much smaller number who have plugged in a stranger's USB stick — so the attack could reach a lot of otherwise protected computers.
The best protection is avoiding any chargers or devices you didn't buy yourself
Fixing the vulnerability at an ecosystem level is surprisingly difficult. No single company can change the way USB works, so the only real fix is to move away from the standard at large. In the past, Apple has built authentication chips into connectors like Lightning — primarily to protect Apple’s lucrative licensing business, but with stronger hardware security as a nice side effect. That's not possible on an open standard like USB. Even if Apple somehow required all power cables to have an authentication chip tied to tamper-proof firmware, the port would still be vulnerable to older devices. A bad actor could simply masquerade as a last-generation USB device like a wireless keyboard for long enough to pass along the virus.
The best protection is simple: just avoid any chargers or devices you didn't buy yourself. But it's a serious downgrade in device security, set against major upgrades in power transfer and data speed. Combining data and charger ports had made the new MacBook and Pixel faster and more powerful, but the price is an ongoing concern over what devices you trust enough to plug in. In short, we may need to get a lot more protective about our power cords.
Verge Video: The universal plug of the future