

The NSA Is Going to Love These USB-C Charging Cables - scribu
http://gizmodo.com/he-nsa-is-going-to-love-these-usb-c-charging-cables-1691781672

======
theandrewbailey
> But that convenience doesn't come without a cost; our computers will be more
> vulnerable than ever to malware attacks, from hackers and surveillance
> agencies alike.

Cut the crap. USB is just as vulnerable as it always was. The only thing that
changed with USB-C was practicality and convenience.

~~~
wlesieutre
The author knows USB is just as vulnerable as it always was.

The thing that changed with USB-C is that you can't avoid plugging in USB
devices. If you borrow someone's power cord, you're plugging an unknown USB
device into your computer.

Dropping a malicious USB drive in the parking lot was the traditional attack
vector for USB devices, which obviously won't work as well with a power cord
(a power cord sitting in the parking lot would be a bit suspicious), but it
opens up new targeted attack vectors. Someone could easily swap out your power
cord with a malicious one when you aren't looking, which might wait for your
computer to be inactive, then kick into "fake keyboard mode" to open up a
terminal, download whatever executable off of the internet, and run it (with
your user privileges). It won't own the whole computer without authentication,
but it'll own all of the data in your home folder.

~~~
coldtea
> _The thing that changed with USB-C is that you can 't avoid plugging in USB
> devices. If you borrow someone's power cord, you're plugging an unknown USB
> device into your computer._

You know, they could easily add a mode for it, so it only gets power and no
data.

~~~
wlesieutre
Definitely could be, but I'm not holding my breath for any of the major OSes
to implement that. You'd need a popup window for every new keyboard to say
"This is a keyboard! Is it allowed to be a keyboard?" Which works for a laptop
because you always have a keyboard/trackpackpad built in, but could be a
problem on a desktop if you can't approve a keyboard/mouse without already
having one connected and approved. Do desktops ever include accelerometers?
Maybe you could pick it up and shake it to allow a new keyboard.

On the other hand, as I understand it, USB Power Delivery negotiates the
voltage over the power wires _only_ , so making an adapter cable that doesn't
pass data should still be an option for the paranoid among us. But good luck
getting every user at a big company (say, Anthem or Premera) to do that
religiously.

~~~
coldtea
Actually seems already implemented -- and that the original article was mostlt
BS:

"Gizmodo seems to believe the 12-inch MacBook is vulnerable to this direct
attack, even going so far as to suggest that the NSA will distribute hacked
USB-C power adapters designed to take over your notebook. But unlike
Thunderstrike on vulnerable Macs (see “Thunderstrike Proof-of-Concept Attack
Serious, but Limited,” 9 January 2015), the USB port uses Intel’s xHCI
(eXtensible Host Controller Interface), which can’t be placed into a DFU
(device firmware upgrade) mode to overwrite the MacBook’s firmware. Thus the
MacBook itself can’t be infected with BadUSB, so plugging in an unknown power
adapter can’t give someone control of your MacBook."

