USB-C and BadUSB attacks: What you need to know

BadUSB is an attack that uses the way computers interface with the universal serial bus (USB) standard to try and load malware onto the machine. It's a longstanding issue with USB in general, and nothing specific to Apple or the MacBook's implementation of USB-C. Throwing Apple and a hot new product under the headline bus is a great way to get attention, but what's really going on?

BadUSB is a concern for anyone that has USB port on any computer from any vendor. It's theoretically possible for an attacker to set up malware on any USB device. That's why you shouldn't just grab cables or thumb drives or other peripherals from people or places you don't know, especially if you have any reason to believe you might be a target.

The reason BadUSB is getting renewed attention for USB-C is that, on new products like the MacBook and the Chromebook Pixel, USB is also the charging port. So, BadUSB has a larger attack surface. (You'll always be plugging into USB, not into something else like AC power or DisplayPort.)

Convenience exists in opposition to security. We know this. USB-C comes with all the advantages of being a standard, and all the disadvantages as well. Neither Apple nor Google nor anyone else can build in their own protections at the hardware level without violating the standard or potentially breaking compatibility.

Vendors, including Apple and Google, might need to adopt something like the iOS "Trust this Computer" prompt for OS X and Chrome OS. The trust prompt, which grew out of similar attacks, called Juice Jacking, means an external USB device can't exchange data with the computer unless and until the person at that computer gives express permission for it to do so.

In the meantime, if you're at all concerned about BadUSB, buy your own cables, adapters, and devices, keep them safe, and don't use any cables, adapters, or devices you don't absolutely trust. Don't be scared or made to feel paranoid by overly sensational headlines. Be informed and avoid situations that could, even potentially, put you at risk.

Nick Arnott contributed to this article.

macOS Sierra

MacBook review
MacBook buyers guide
○ MacBook news
MacBook forums
Buy at Apple (opens in new tab)

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Most technology buffs demand the most and best from the products they may buy. Apple removes features from their products and sells them as accessories and Apple fans basically rationalize that it's what's best for them. Ive sacrifices so much in terms of advancement for the sake of 'design'. It's a f#@king computer! So many other companies have shown that so much more can be done in the same footprint (or smaller) with more power. You guys will rationalize it all out and Apple counts on this and makes a fortune from it. Apple fans have no demands, they just wait for Apple to tell them what they want and then cheer for it like it's something special! Like government cheese! Eat it up!
  • If apple never had the guts to move on, you will still be having a 5.5 inch and a 3.5 inch floppy drive on your windows laptop (I am sure windows manufacturers would have gladly and without regret dumped a design like that on u, even in this day). People who complained about the Mac book air having no DVD drive, are now considering DVD an ancient tech. Change is difficult, but it is inevitable. Wait for 2 years and see what is out in the windows market.
  • I'm not a fan of Apple by any stretch of the imagination, but I must agree with you here. There is a big difference, no one on the other side roots for the people that take their money. They like a device, or hate a device, more often a mixture of both, but I don't ever think you will hear "There's people that buy Lenovo because they are smart, affluent, and discriminating, then there's everybody else.".
  • There's a difference between streamlining features and removing practicality. When Apple removed the floppy drive, there was a cheap alternative that worked better. That's not the case here. USB-C is not widespread enough for it to be the *only* port available.
  • Yet again it must be said, the new MacBook hasn't replaced any of the other laptops Apple has in their line, is not the only device you can buy, you have the option of buying one of the other products that they sell which may or may not accommodate your needs in a better form.
  • Wireless is the cheaper alternate that is already available. And if u need to be old school, please get the adapter or wait for the rest of the industry to catch up, which will be pretty ridiculously soon now. And if u don't want to be an early adoptor of the obvious future, off course, the MacBook pro and air is still available. If u don't want to be the change, wait for us to change it and then adopt it in 2 years. But when u do use your floppy drive less laptop, do realise some one had to get rid of it and someone had to be an early adoptor.
  • I'm not sure why my position is confusing to some. I know there are other options currently available. My grievance is not that Apple changed the port, but that they only included one. Charging $80 for an adapter for a computer that's already overpriced is outrageous.
  • There is no confusion. We clearly understand your position. It is the same position common people took when the Mac book air was released. Removing DVD drives for the sake of thinness and then charging $ 70 for a external super drive was outrageous. And they were partly right. But u see the impact of that product in today's window's laptops. You see, ports need to go away in the long run. It is apple's vision of the future of the netbook. Same as getting rid of DVD drives. It will start with 1 product and eventually over a period of years slowly come to their entire product line. It takes a staggering amount of market research, technology, confidence, design, marketing, advertising and painful grit taking in all uninformed or ill intentioned negative criticism to move the world one step forward.
  • I'm just gonna agree to disagree with Apple's vision of the future and hope that the Pro line is left with more wired options.
  • Don't worry, that is way way down the line and by that time no one will be using any ports. Or may be you are one of those people who wish the pro line had a 5.5 inch and a 3.5 inch floppy drive, 1 DVD drive and 2 PS/2 ports.
  • Nope. To be honest with you, I wouldn't have said anything at all if the new MacBook had one USB-C port and one USB-A. If the pro can hold onto two USB-C ports and an SD card reader, I'm on board. I just know wireless options fail, especially with Apple products. I'm all for streamlining, but I hope the Pro line never gets down to a single port option.
  • I know what you mean, but Rene is talking about USB in general. So you are off track on this subject. Save your criticism on a posting where it counts. Sent from the iMore App
  • And what's your rant got to do with USB-C and the attendant Bad-USB security threat? Any issue an excuse to hurl invective at the object of your irrational hate. Stay on topic, hater.
  • Hurry on now, wireless technologies, and the tech world can dispense with the security threats posed by cables once and for all. Although, I guess, there will be equally pernicious threats that the wireless revolution will usher in.
  • You should stay on topic, the article is not about this and as annoying you may find it they do sell other computers with more ports...
  • Honestly, this is the 1st time that I've heard of "BadUSB". I can't say I'm surprised.
    I agree with your point about mainstream media exploiting fear & dread to sell copies & draw peoples' attention. It's as shameful as trolls trying to pick fights...
    Darn, I'm fresh out of gold stars & cookies. Sent from the iMore App
  • Yep does seem like we have a troll invasion. Their mission is to tell us 'Apple fans' that we are puppets of Sir Ive. Even when they are off topic. Well more power to troll-c or better yet Badtroll. Sent from the iMore App
  • There might be some trollishness in the headlines, but there is a genuine concern too, because, as Rene put it, it expands the "attack surface." Think of places like airports and coffee shops. Power at the gate usually comes from standard power plugs, but an increasing number of them have USB ports for phones as well. (This is how juice jacking began.) As the new standard, it is not hard to see a future where USB-C plugs will be in these places, as well. When they are, because that one connection carries both power and data, you cannot charge without also potentially exposing your machine. Whether it is Apple on the MB, Google on the Pixel, or MS on the eventual Wintel variants with USB-C, a do not trust option should be built-in.
  • You see @Dev from tipb that's the kind of responses I learn from coming to this site. Appreciate your input in the discussion. Not the rants some of these guys go off on. You give me something to think about and research. Sent from the iMore App
  • I'd heard something about it but since it has the potential do the same with any machine that has a USB connector it seems that all that is happening is that a few journalists with a chip on their should about Apple -- maybe they used to get invites and then suddenly the invites stopped, who knows I don't -- and will dig up any old crud just to make a negative story. I am teetering on buying the new Macbook, I rarely see people actually using all the connectors on a laptop and just having them there is more a security blanket for some people who use the "I might one day need that connector". Saying that I purchased a cheap netbook just to operate a particular printer and run a particular piece of software that was not available on the Mac. It only has a single USB port used and the dedicated power supply. If there was just a USB-C connector then I would have purchased a USB Hub (if one was available) and just connected everything through that hub and I may still do that and rid my self of this huge 27 inch screen that is 'my security blanket' I will wait and see. Hopfully the single connector will spread to the rest of the range as well and simplify life. If only though they would lower the price to reflect the lower costs of not having all the dedicated chipsets and other hardware and rather than making slimmer just filled that dead space up with battery.
  • The "Do You Trust this Device?" prompt is a great option. I really hope all vendors adopt this practice. In the mean time, there are "USB condoms" that plug into your port for a friend to charge their device, only the power wires are physically connected, so there is no way for data to transfer. (Sorry no link) Sent from the iMore App
  • I was wondering when Rene will come up defending the Verge it is.
  • "...don't use any cables, adapters, or devices you don't absolutely trust" Uh, well, as much as that does not worry me personally, I do not own a single USB device, I just do not think that this is possible for most people. Memory sticks are still the most common way to exchange files, even between people in businesses. Wireless transfer of large files on a mobile device is often not possible, due to bandwidth constraints or policies not allowing to send files through a public network. Direct transfer stuff like Air Drop is proprietary, and won't allow me to exchange files with some 90% of others out there. These headlines may be sensationalist, but they do contain one truth: the only connectivity on these devices relies on the least secure interface in existence. I couldn't charge, transfer files, import pictures, connect a monitor, heck, not even listen to music or plug in a headset for a FaceTime call, without using it. That wonderful wireless world that Apple had in mind when they released the first MacBook Air is still not here. Public WiFi is insecure and slow, 3G/4G is metered, both are not always available. Secure open standards for peer-to-peer transfer between all platforms do either not exist, or are not being implemented. BT headsets are crappy, overpriced and always out of juice when you need them. But hey, since all these thin and light devices made me carry iPhone and iPad cables everywhere (Apple Watch cable and 'wireless' headset cable to follow)... I can now add four power bricks as well, since the laptop with only one port can't charge nothing most of the time. For those living at Starbucks and not caring for security, this is maybe a non-issue, and this is truly the crowd this device is for. Not justifying the sensationalist crap, but truly can't see why adding at least a Thunderbolt port and a headphone jack would have been so hard here.
  • This is what happens when Apple goes with a standard, its what we all wanted. I like many others am happy that we now have one plug to rule them all across devices made by many different companies. These will be coming in force this year. I commend Apple for implementing type-C this quickly and agree with Rene about the "Trust this computer" prompt. There will forever be vulnerabilities, these tech companies will just fix them quickly and we will move on.
  • Bottom line is apple is forcing people to spend more on adapters & hubs because they were too greedy when they put only 1 port on their MacBook. Sent from the iMore App
  • Would you have been less disappointed if there were two USB-C connectors? Or do you want USB Type-A, or non-USB ports? Why not just get a MBA or MBP? Or a Lenovo Yoga 3 Pro?
    What I don't get is that the Lenovo Yoga 3 Pro is thinner than this MB (from what I've found- 12.7mm vs 13.1mm) and that has several USB type-A, it also charges through one of them, and you can charge your phone from that port even when the Yoga is turned off - like a battery pack. BTW, no Ethernet port on the Yoga. Sent from the iMore App
  • I think and maybe is only me, that it has something to do with the fact that the Yoga Pro is not the same size as the new MacBook. MacBook
    11.04" inches x 7.74" x 0.14–0.52" weight: 2.03 lbs Lenovo Yoga 3 Pro
    13" x 9" x 0.5" weigth: 2.62 lbs
  • I was going to get the new Macbook after trying it and seeing actual hands-on reviews. Then I discovered the Yoga Pro 3 has the same innards as the new Macbook: same CPU/graphics, same amount of RAM and SSD storage. The reviews on the Yoga Pro 3 are lukewarm at best. Benchmark numbers are low and real-world tests show meager performance. Based on that I did not wait and bought a lower-tier Macbook Pro instead of waiting because I need a laptop sooner rather than later. I will say I am loving this 13" MBP with the only upgrade being 256 Gig SSD. My one demanding app recommends at least a 2 Ghz dual core processor and I couldn't risk the Macbook not being up to the task and the Yoga Pro 3 bears that out.
  • BadUSB works by reprogramming a USB memory stick to enumerate itself to the host device as a keyboard. Once the keyboard driver is loaded, it starts sending keyboard commands hoping to find a command line or terminal session it can exploit. The answer is simple, modify the USB keyboard drivers to simply ask the user "Use this USB keyboard? N/y" anybody with half a brain will realise that the power cable or memory stick is NOT a keyboard and hit enter or N and all will be well. One software change for each operating system. How often do you plug a new USB keyboard into a computer or device? Even Apple should not think this will strain the users good will to much.