Are you safe charging your devices with USB-C?
All our laptops are now charged through a port that delivers both power and data, a fearly recent change inherited from the mobile world that paves the way for a number of unsophisticated attacks that are impossible to detect and prevent without implementing advanced protection measures.
In the following, we illustrate how HID attacks exploit this vulnerability and the apparent lack of countermeasures.
HID Attacks
A Human Interface Device (HID) attack is the combination of customised attack hardware with restriction bypass via keyboard or mouse emulation. When a purpose-built attack device is connected to a data-enabled port like USB-C, it is detected as a keyboard. Using the microprocessor and onboard flash memory storage, it is possible to then send keystrokes to the target machine to compromise it.
Customised hardware for this kind of attack can be purchased online for as little as $8 and is very easy to use and configure.
Tutorials are readily available online:
Beyond keyboard emulation, HID attacks can be further enhanced by introducing other capabilities such as Wi-Fi, 4G or ethernet networks, and storage.
Realistic scenarios
1 A malicious Apple USB-C Power Adapter is placed in a conference room or shared workspace. Unsuspecting MacBook owners use the adapter to conveniently charge their devices in meetings or when using the workspace. A HID attack with 4G capability extracts all of the users’ data including documents, cookies, browser-stored passwords and browser histories, and exfiltrates it regardless of the devices’ network status and security (firewall, DNS filtering, etc.).
2 The USB-C sockets of a public charging station in the airport of a state-controlled country have been tampered with, implanting a malicious payload on any device that is connected. The online activity of users of compromised devices is monitored.
3 A malicious HDMI to USB-C adaptor with HID and 4G capability is placed in a reputable conference centre that hosts presentations and meetings for companies and high profile individuals. When the adaptor is used to link up a device to a screen, the malware embedded in it will be able to bypass any internal security set up by the companies and individuals.
Further reading
Are we protected from these threats?
Currently, the average user does not possess the tools to detect what type of hardware they are plugging into their device. They will not notice whether the cable they are using to power their iPhone from their MacBook is standard or includes a fully-fledged mini-computer with network capability for example.
Mobile devices like iPhones and iPads were less vulnerable to this kind of attack in the past, thanks to:
- Authorisation requests when a device is connected to a computer
- The absence of a terminal and the Spotlight Search (both used by HID attacks)
- The absence of mouse support (well… hidden at least)
However, this is changing fast, particularly for iPads.
Released in September 2019, iPadOS is a fully-fledged desktop operating system. As well as keyboard and mouse support, it has Spotlight Search, that can be reached using only keyboard shortcuts, and includes dedicated shortcuts for every app.
Attacks leveraging these new capabilities are easy to picture. For example, a keyboard-friendly app with sharing capabilities that has access to photos and contacts would be a prime target.
Conclusion
The attacks described in the above are clearly not the type of attack employed for indiscriminate and mass remote attacks. Being low-tech and easy to deploy however, they can present a considerable threat when used against individual targets.
To address this, Apple can either provide macOS and iPadOS users with the tools to efficiently protect their devices from attacks exploiting the USB-C vulnerability, or give third-party developers access to the APIs that will allow them to create Security applications — perhaps within the new EndpointSecurity framework on macOS Catalina?
Authors:
Federico Cappelli / macOS and iOS Staff Engineer @Mimecast
Celine MacDougall / Client Director @Digitalis