USB-C and BadUSB attacks: What you need to know

BadUSB is an attack that uses the way computers interface with the universal serial bus (USB) standard to try and load malware onto the machine. It's a longstanding issue with USB in general, and nothing specific to Apple or the MacBook's implementation of USB-C. Throwing Apple and a hot new product under the headline bus is a great way to get attention, but what's really going on?

BadUSB is a concern for anyone that has USB port on any computer from any vendor. It's theoretically possible for an attacker to set up malware on any USB device. That's why you shouldn't just grab cables or thumb drives or other peripherals from people or places you don't know, especially if you have any reason to believe you might be a target.

The reason BadUSB is getting renewed attention for USB-C is that, on new products like the MacBook and the Chromebook Pixel, USB is also the charging port. So, BadUSB has a larger attack surface. (You'll always be plugging into USB, not into something else like AC power or DisplayPort.)

Convenience exists in opposition to security. We know this. USB-C comes with all the advantages of being a standard, and all the disadvantages as well. Neither Apple nor Google nor anyone else can build in their own protections at the hardware level without violating the standard or potentially breaking compatibility.

Vendors, including Apple and Google, might need to adopt something like the iOS "Trust this Computer" prompt for OS X and Chrome OS. The trust prompt, which grew out of similar attacks, called Juice Jacking, means an external USB device can't exchange data with the computer unless and until the person at that computer gives express permission for it to do so.

In the meantime, if you're at all concerned about BadUSB, buy your own cables, adapters, and devices, keep them safe, and don't use any cables, adapters, or devices you don't absolutely trust. Don't be scared or made to feel paranoid by overly sensational headlines. Be informed and avoid situations that could, even potentially, put you at risk.

Nick Arnott contributed to this article.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.