Are you safe charging your MacBook with a USB-C cable?
All our laptops are now charged through a port that delivers both power and data, a fearly recent change inherited from the mobile world that paves the way for a number of unsophisticated attacks that are impossible to detect and prevent without implementing advanced protection measures.
In the following, we illustrate how HID attacks exploit this vulnerability and the apparent lack of countermeasures.
A Human Interface Device (HID) attack is the combination of customised attack hardware with restriction bypass via keyboard or mouse emulation. When a purpose-built attack device is connected to a data-enabled port like USB-C, it is detected as a keyboard. Using the microprocessor and onboard flash memory storage, it is possible to then send keystrokes to the target machine to compromise it.
Customised hardware for this kind of attack can be purchased online for as little as $8 and is very easy to use and configure.
Tutorials are readily available online:
How to Steal macOS Files with the USB Rubber Ducky
If you need a tiny, flexible attack platform for raining down human-interface-device (HID) attacks on unattended…
Malicious use of widely available programmable hardware (Teensy) against a Windows 7 machine. …
Beyond keyboard emulation, HID attacks can be further enhanced by introducing other capabilities such as Wi-Fi, 4G or ethernet networks, and storage.
1 A malicious Apple USB-C Power Adapter is placed in a conference room or shared workspace. Unsuspecting MacBook owners use the Adapter to conveniently charge their devices in meetings or when using the workspace. A HID attack with 4G capability extracts all of the users’ data including documents, cookies, browser-stored passwords and browser histories, and exfiltrates it regardless of the devices’ network status and security (firewall, DNS filtering, etc.).
2 The USB-C sockets of a public charging station in the airport of a state-controlled country have been tampered with, implanting a malicious payload on any device that is connected. The online activity of users of compromised devices is monitored.
3 A malicious HDMI to USB-C adaptor with HID and 4G capability is placed in a reputable conference centre that hosts presentations and meetings for companies and high profile individuals. When the adaptor is used to link up a device to a screen, the malware embedded in it will be able to bypass any internal security set up by the companies and individuals.
This hacker's iPhone charging cable can hijack your computer
Most people don't think twice about picking up a phone charging cable and plugging it in. But one hacker's project…
These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
I plugged the Apple lightning cable into my iPod and connected it to my Mac, just as I normally would. My iPod started…
Usbdriveby: horrifying proof-of-concept USB attack
https://www.youtube.com/watch?v=aSLEq7-hlmo Samy Kamkar has a proof-of-concept attack through which he plugs a small…
What are malicious usb keys and how to create a realistic one?
Dropping a malicious USB key in a parking lot is an effective attack vector, as demonstrated by our recent large-scale…
Are we protected from these threats?
Currently, the average user does not possess the tools to detect what type of hardware they are plugging into their device. They will not notice whether the cable they are using to power their iPhone from their MacBook is standard or includes a fully-fledged mini-computer with network capability for example.
Mobile devices like iPhones and iPads were less vulnerable to this kind of attack in the past, thanks to:
- Authorisation requests when a device is connected to a computer
- The absence of a terminal and the Spotlight Search (both used by HID attacks)
- The absence of mouse support (well… hidden at least)
However, this is changing fast, particularly for iPads.
Released in September 2019, iPadOS is a fully-fledged desktop operating system. As well as keyboard and mouse support, it has Spotlight Search, that can be reached using only keyboard shortcuts, and includes dedicated shortcuts for every app.
Attacks leveraging these new capabilities are easy to picture. For example, a keyboard-friendly app with sharing capabilities that has access to photos and contacts would be a prime target.
The attacks described in the above are clearly not the type of attack employed for indiscriminate and mass remote attacks. Being low-tech and easy to deploy however, they can present a considerable threat when used against individual targets.
To address this, Apple can either provide macOS and iPadOS users with the tools to efficiently protect their devices from attacks exploiting the USB-C vulnerability, or give third-party developers access to the APIs that will allow them to create Security applications — perhaps within the new EndpointSecurity framework on macOS Catalina?
Federico Cappelli / macOS and iOS Staff Engineer @Mimecast
Celine MacDougall / Client Director @Digitalis