It’s a running joke: USB cables never fit properly on the first try. You’re sure you looked at the cord and the port before you tried; they matched, you’re certain. But somehow they simply don’t line up. A few flips, a few curses and you finally get the cable installed. Now, new MacBooks and Chromebook Pixels will come with a built-in solution: USB-C. The smaller, sleeker cable and port doesn’t have a “right side up”, comes with improved data transfer speeds and can even be used in lieu of a standard power cable to charge up your computer. Oh, and it opens you up to malware attacks.
What’s the Difference?
CNet has a good write-up on the variations across USB types. Type A connections, for example, are typically used in host devices such as desktops and laptops and require a specific orientation for proper fit. At the other end many of these USB cables are Type B connections, which can vary in size and shape. They connect to printers, external hard drives and just about any other peripheral you own. The first USB version, 1.1, was made commercially available in 1998 and featured a top transfer speed of 12 Mbps and power output of 2.5 volts. By 2008, version 3.0 was available with a 5Gbps transfer speed and 5 volt power output.
Set for wide release later this year, USB-C and version 3.1 are changing the game. First of all, both connections are identical and the data transfer rate is being boosted to 10 Gbps. What’s more, USB 3.1 yields a 20 volt output, analogous to 100 watts of power. Since most mobile devices and laptops only need 60 watts, this means you’ll be able to route both information and electricity through the same port. Nifty, right? The NSA certainly thinks so.
According to the Verge, these new USB-C cables run the risk of exposing users to malware threats, including the BadUSB vulnerability. BadUSB was written by researchers to demonstrate the inherent security risks in even “airgapped” technology thanks to the use of USB sticks and similarly “shared” technology. BadUSB lives in a device’s firmware and once connected, the malware payload installs and slowly takes over. Even more worrisome is that no solution has yet been found to this problem, because BadUSB is not software it’s virtually undetectable and cannot be removed.
And this issue isn’t solved with USB-C. While the firmware needed to carry BadUSB or similar malware won’t come standard with these new cables, it’s not difficult to install. A malicious actor could load up their new cable, head to a coffee shop and then simply wait for someone to borrow the infected power cord — a commonplace act of technological “kindness,” and one that’s set to become much more prevalent once the new standard hits store shelves. The short-term solution is to trust no power but your own, and never leave your cord or device unattended. But even that may not be enough; with USB-C poised to be the “catch-all” port for mobile devices and laptops alike, spy agencies are eager to find a new avenue of access.
The NSA hasn’t been sitting idle while USB-C was in development. As noted by Ars Technica, in a document leaked last year called the ANT catalog, the spy agency detailed some of its most promising technology. One such device was a man-in-the-middle USB implant called “Cottonmouth-I”, which could turn a computer’s USB connections into wiretaps or allow it to be remotely controlled. Originally pegged at $20,000 to build, security researchers have now devised a way to build one for less than $20.
And according to Gizmodo, it’s not so far-fetched that the NSA would try to sneak in through backdoor cable faults or encryption vulnerabilities, since in 2014 it was discovered that the spy agency spent $10 million trying to convince security firm RSA to leave a backdoor unpatched for just this kind of covert effort. With USB-C poised to be a big seller across a host of devices, there’s massive intelligence market up for grabs.
The new USB-C cable offers marked benefits over its A and B predecessors, but doesn’t come without risk. Stay safe: Never accept power from strangers, no matter how innocent they may seem — in today’s security-obsessed world, it’s hard to tell hackers and the NSA apart.