Could the New MacBook’s Single USB-C Port Pose a Major Security Threat?


Apple aficionados have applauded many aspects of the new MacBook’s design, but many have complained about the new MacBook’s single USB-C port. In addition to being inconvenient, some argue that it poses a significant security risk.

Malware spread via USB is nothing new, and some researchers fear that a USB-C charger could become a malware free-for-all. It’s not an impossible scenario. Since people are more likely to borrow a charger than plug in an unfamiliar USB stick, the single USB-C port could increase the spread of USB-transmitted malware. In reality, there’s probably no shadowy figure waiting to infect your new MacBook with a cleverly programmed power cord. A little paranoia is advisable, but too much paranoia can ruin a good thing.

How Likely Is a USB Malware Attack?

A recent article published by The Verge suggested a scenario in which an attacker programmed a USB-C power cord with malware. The attacker then plugged the cord into a café outlet and waited for people to charge their laptops with it, thus infecting their computers with malware. Although USB attacks are one of the most effective ways to introduce malware onto a computer — think Stuxnet — they’re much less common than online vectors. To infect a new MacBook via USB, someone would have to deliberately insert an infected USB-C device into the port.

Although anything’s possible, most USB attacks aren’t aimed at unsuspecting café Wi-Fi freeloaders. They’re designed to infiltrate specific computers and specific organizations, and they’re conducted by governments committing espionage. To spread Stuxnet, for example, operatives plugged infected USB drives into computers in Iranian nuclear plants. The attack had a specific purpose, which was to cause malfunctions that would destroy nuclear centrifuges.

Bottom line: Unless you’re a nuclear scientist or someone connected to a valuable espionage target, don’t worry about your lone USB-C port. If you’re just a regular Joe drinking coffee, no one’s waiting for you with a nefarious power cord.

Related: 7 Tips for Better Mac Security

What About BadUSB and WireLurker? They’re USB-Related and Scary

People who train to become security experts, whether on the job or in top cybersecurity graduate programs, get paid to think of every imaginable attack scenario, and some of those scenarios do involve USB devices. Two USB attacks that made the news last year have caused many to rethink USB as a universal plug-and-play standard.

BadUSB, a proof-of-concept attack uncovered by Karsten Nohl and Jakob Lell, can transmit firmware infections from computer to computer via connected USB devices. However, just because Nohl and Lell demonstrated that BadUSB could happen doesn’t meant that an attack is imminent. WireLurker malware, which infected Apple and iOS devices in China, originated in third-party app stores. Users installed third-party Mac apps infected with WireLurker, and WireLurker installed itself on syncing iOS devices.

The WireLurker attack alarmed people — rightfully so — because a third-party application shouldn’t be able to install itself onto a non-jailbroken iOS device. However, if Mac users stick to the Mac App Store and avoid downloading third-party software, then they’re not in immediate danger of being exposed to WireLurker.

Keeping Your New MacBook Safe

macbook_security_threat

If you’re truly worried someone about coming after your new MacBook with an infected USB-C device, these simple precautions will put your mind at ease:

  • Never leave your MacBook unattended. Seriously. It’s not that hard. If you leave your office while your MacBook’s inside, lock the door behind you.
  • Only use Apple apps and peripherals. Don’t buy the third-party chargers and batteries that Apple plans to allow for the new MacBook. Even when you’re in a pinch, don’t plug in anyone else’s chargers or USB devices. Also, don’t download non-Apple applications for your new MacBook if you’re worried about malware like WireLurker.
  • Don’t use your personal new MacBook at work. Don’t do work on your personal devices, and don’t use your personal devices to access work-related networks. That way, if a secret agent or stealthy café stalker infects your new MacBook using a USB-C device, your MacBook malware won’t put anyone in danger except you.

Reality Check

It’s much easier for an attacker to infect a third-party app and let people mass-download malware than it is to stick infected USB devices into random MacBooks. Unless someone has a reason to come after your new MacBook, you’re going to be okay.

Man using MacBook image by Startup Stock Photos (public domain)


Apple Gazette

One Comment

Your email address will not be published.