Security risk with new MBP

Discussion in 'MacBook Pro' started by beerglass007, Nov 17, 2016.

  1. beerglass007 macrumors 6502

    Joined:
    May 13, 2008
    #1
    So now we have a mixed USB c port which supports data and power.

    You now charge the laptop with the same socket as transferring data, so the laptop is plugged into a mains socket or USB charger which can accept data

    Take something like this



    This can be plug into a power line which is then basically plugged into your laptop.....

    Think about it

    Scary
     
  2. jerryk macrumors 68040

    Joined:
    Nov 3, 2011
    Location:
    SF Bay Area
    #2
    People plug their phones in everyday at airports and do not know that the connection contains data as well as power. That is why I carry my own power adapter.
     
  3. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #3
    Thats different, that has a more restricted cut down OS, this is OSX
     
  4. jackoatmon macrumors 6502a

    jackoatmon

    Joined:
    Sep 15, 2011
    #4
    you're on the internet right now and there's data going across an internet connection

    think about it
     
  5. New_Mac_Smell macrumors 68000

    New_Mac_Smell

    Joined:
    Oct 17, 2016
    Location:
    Shanghai
    #5
    Indeed!

    Also, wouldn't plugging your computer into the wall and having it come up with something like "USB Hub would like to access your computer, allow?" be a bit of a giveaway that something was fishy?
     
  6. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #6
    An ethernet interface uses the IP stack and normally it protected with such technologies as firewalls/IPS

    A USB c connection doesn't uses IP

    This has changed the landscape of risks

    Where as the standard magsafe socket was power only we now have a new risk
    --- Post Merged, Nov 17, 2016 ---
    No, devices which hack the USB ports don't mount like USB hubs.

    Hacking the USB port isn't new, its been around for years but you need to physically plug the device in

    Now that USB C ports used both data and power, the data plane coming off that USB C connector is physically connected to a power cable and ring main. So a remote USB hack could be executed

    Give it time and watch this space, it wasn't possible until now
     
  7. dyn macrumors 68030

    Joined:
    Aug 8, 2009
    Location:
    .nl
    #7
    Plugging any data connection into something you don't know is a potential security risk. Which has been the case for decades so nothing new here. When charging the MBP just use the power adapter that came with it because that's power only (doesn't do data) so no security risk there.

    USB-C doesn't use anything because it is just a connector and a cable. The other components such as the Thunderbolt chip turn it into something useful. Part of the Thunderbolt 3 protocol is ethernet as well as PCIe, DisplayPort and USB 3.1 Gen 2.

    The biggest security risk is still the part that handles the computer. If they connect to open wireless networks and log into something that doesn't use HTTPS it is very easy to collect their credentials. This also applies to all those free wifi networks from stores, restaurants, etc.
     
  8. New_Mac_Smell macrumors 68000

    New_Mac_Smell

    Joined:
    Oct 17, 2016
    Location:
    Shanghai
    #8
    Wait what? The power/data lines are separate, not physically connected. You can't plug a USB cable into the power and use the ring circuit to access the data from a separate socket on the same ring, if that's what you meant?

    In any case, if people are that concerned/paranoid, you can just use a USB cable that is missing the data lines. As many el-cheapo USB charging cables that come with android phones do.
     
  9. dyn macrumors 68030

    Joined:
    Aug 8, 2009
    Location:
    .nl
    #9
    He means that you connect the computer with a USB-C cable to some USB-C charging port. There are some places that have these USB charging stations where you can charge your smartphone (or anything else that uses the USB-A connector). For those use cases there are special cables that only have the pins for powering the device so there won't be any data. This is also feasible with USB-C. And ultimately, if you use the power adapter you simply use power only, the adapter doesn't transmit any data.
     
  10. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #10
    Im not talking about open wifi and non encrypted data transfers.

    Using the Apple supplied power supply isn't going to help either. The point I'm making is the USB C connector now supports data and power, the socket used for charging your laptop is physically bridged/connected to the data plane on the logic board.

    Yes it might not be enabled during charging but the older MBP had a physically different power connecter which wasn't connected to any data plane

    The possibility of an security expolit is now very very possible
     
  11. jackoatmon macrumors 6502a

    jackoatmon

    Joined:
    Sep 15, 2011
    #11
    i think you're really reaaaalllly overthinking this

    i'd say the security risk with these machines is: "woah that guy's got the new MBP, distract him and i'll grab t off the table"

    when people want to hack your data, they hack it. end of story. all security does is prevent bots from hacking you. but if a person actively wants to hack your data, and they know how to, the data's already theirs.
     
  12. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #12
    Yeah that would work I guess. A limited USB C cable which only had enough pins to charge and not support data
    --- Post Merged, Nov 17, 2016 ---

    I work in IT security for over 15 years and it might be very rare event, but what i'm saying is its now possible

    A USB socket which supports power and data isn't the best move

    The risk is now there, how likely that risk is could be a different matter, but it wasn't there on 2015
     
  13. xraydoc macrumors 604

    xraydoc

    Joined:
    Oct 9, 2005
    Location:
    192.168.1.1
    #13
    I suspect the power brick would kill any data that could potentially be injected in to the mains. Plus Apple's supplied cable doesn't support data.
    But, if you happen to just plug your laptop in to any old USB port to charge with a data cable, then I suppose you're at risk. At least until Apple patches such exploits.

    I think the risk is currently very low, given how few computers (Mac and PC) charge via USB-C — especially when most people will willingly connect to any old unsecured wifi network without a VPN anyway.
     
  14. jerryk macrumors 68040

    Joined:
    Nov 3, 2011
    Location:
    SF Bay Area
    #14
    But it is more likely to have information that you care about. Such as you bank account ID, credit card info, contacts, travel plans, etc.
     
  15. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #15
    Agree with the VPN comment but doubt an Apple power brick will have any data filtering or firewall how ever clever apple is

    Take the power adapters which transfer data over ring mains, these transmit between ring main circuits from upstairs and downstairs and the electricity breakers

    I'm sure a black box device connected to a monitor with USB hub or multiway socket adapter somewhere is enough
    --- Post Merged, Nov 17, 2016 ---
    Maybe yes, but a full OS provides the hacker with better tools. Depends what they want I guess

    It might be data their after or just remote control of a machine with a full OS

    Who knows...but its just become slighter less secure in my eyes

    I've still got one on order :cool: but wonder if anyone has thought this risk over
     
  16. New_Mac_Smell macrumors 68000

    New_Mac_Smell

    Joined:
    Oct 17, 2016
    Location:
    Shanghai
    #16
    Okay okay, basically, for a start seeing as you need a hefty power supply to charge it, I don't think people will be plugging it into anything other than the supplied PSU. I think you're referring to the ethernet over power things, whereby a box uses the ring circuit to transmit data; note this happens at the box and you plug your usb into it, it does not go the other way around, you can't send data through a power line without it first being adapted. So you'd need a virus on your computer to begin with (AKA what's the point in going through the effort?). Next, the data/power lines are not physically bridged, they are entirely separate, as there is no need for them to be bridged.

    I kind of understand where you're coming from, but it is a none issue, at the very least a simple condition on the charging circuit of either/or would correct any potential risks.

    Plus, given the monumental effort you'd need to go through to set this up, lets say installing physical hardware into places that offer these charging services without anyone noticing. You'd just be far better off hacking something over the WiFi which would be a lot easier, and a lot less risky. So really not an issue!
     
  17. Bryan Bowler macrumors 68040

    Joined:
    Sep 27, 2008
    #17
    I choose not to live in fear. Carry on!
     
  18. Queen6 macrumors 603

    Queen6

    Joined:
    Dec 11, 2008
    Location:
    Putting out the fire with gasoline...
    #18
    Well and truly discussed in the rMB forum; the risk technically exists, however likelihood of any issue is low, reduced ever more so with common sense management of your gear.

    Q-6
     
  19. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #19

    Not so, the new MBP charge from very small power bricks. Unlike the iPad Pro's which dont charge unless using a larger watt USB charger, the new MBP charge from much smaller chargers, just much slower.

    I have a MBP 13" on demo and used a 6 port USB charger on my work desk, this chargers my iPhone, iPad and MBP 13: 2016

    Regarding the ethernet over power adaptors this was just an example of how protocols can transmit over power cables and though power adapters, nothing to do with USB

    I'm just calling out the fact that now mixing data and power ports have bridged the connections on the logic board somewhere internally and would give someone the ability
    --- Post Merged, Nov 17, 2016 ---
    Totally agree with you, crossing the road is a risk and we all do it

    The risk might be very low, BUT its been created with the new MBP 2016
     
  20. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #20
    Powerline adapters contain modems that are specifically designed to transmit data over powerlines. I doubt very much that Apple's power brick contains something like that. ;)

    You do have a point though when it comes to charging your laptop from some USB port like they exist e.g. at airports. There are a number of exploits designed to extract data from unsuspecting devices via USB (e.g. by mimicking a USB Ethernet device which may cause a laptop to redirect all network traffic, or even attacks via low-level USB protocols). Thunderbolt is also known to be vulnerable to attacks that allow direct access to the computer's memory (e.g. see this presentation from a Blackhat conference). For USB type A connectors you can buy "USB condoms" that allow power but block data from passing through. I haven't seen one for USB-C yet though.
     
  21. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #21
    Again I agree, I work in IT security and take a keen interest in these things

    However low risk, it possible now
     
  22. xraydoc macrumors 604

    xraydoc

    Joined:
    Oct 9, 2005
    Location:
    192.168.1.1
    #22
    Even simple powerstrips interfere with the power line data devices...
     
  23. beerglass007 thread starter macrumors 6502

    Joined:
    May 13, 2008
    #23

    Forget the power line adapters, it was an example trying to explain that protocols can transmit data between ring mains and go between power bricks.

    Inside a PSU is a primary and secondary winding, thats how a 240V or 110V PSU is stepped down, what I was trying to explain was how data protocols can be transmitted between them
     
  24. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #24
    Modern computer PSUs do not use traditional step-down transformers (they use switched-mode voltage conversion). But anyway, given that a simple power supply probably doesn't even contain USB transceivers, I don't see how you could possibly generate a valid signal on the USB bus.
     
  25. Queen6 macrumors 603

    Queen6

    Joined:
    Dec 11, 2008
    Location:
    Putting out the fire with gasoline...
    #25
    True, and I do agree, equally the solution is user management of the charging situation, equally the risk is far more prevalent with the ubiquitous thumb/flash drive that many of us encounter on a daily basis. To me the solution is clear same as any other USB interface, only use known devices, if you are not a position to control this, then you need to be mindful of your data, potential loss and subsequent fallout.

    These days I look to avoid unknown USB devices, equally it`s not entirely practical with minimisation being very much the key word.

    Q-6
     

Share This Page