The latest Mac book was announced last week and will be launching with a single USB Type-C port. In an increasingly digital landscape this isn’t that much of a shock but is it a security risk?
Yes, according to an article from The Verge. Karsten Nohl, one of the researches who discovered BadUSB, explains that “the additional openness and flexibility of USB Type-C comes with more attack surface,” and does little to fix the problem.
BadUSB was first discovered last year and could be used to turn your average USB thumb drive into a malware toting nasty.
It’s yet another example of innovating old tech but taking all, or at least some, of the flaws with it: in this case a pretty serious one, as pointed out in the article malware makers can just focus in on one format.
Ease of use vs. Security
“Ease of use will always win against security, that's the nature of the human being,” explains Mark James, ESET security specialist.
“We understand the concept of risk but unless it’s immediate then the easier route will edge towards making life easy: USB Type C is certainly easy.
“It is the natural progression of USB ports and will lead to a truly universal port structure, of course there's always a risk but often that risk is only a niggling factor and not the number one concern.”
At least only a niggling factor for the public. How often have you borrowed someone else’s charger? The Verge highlights a possible “borrowed charger” attack vector, as the Type-C can be used for power as well as data transfer.
Security as an afterthought
Mark explains that it’s all about ease of use when it comes to consumers; security is often a distant afterthought, if it’s thought about at all.
“We all want easy, its why we use computers.
“Pen and paper is a lot safer and I can’t remember the last time a worm was spread with a biro, but it’s not fast, it’s not easy and it certainly can’t do anything like a computer can do.
“We use computers every day for our office work, our business runs on them and our financial structure depends on them even though they can be one of the most insecure items we interact with on a daily basis.
“Security is often something someone else does, when it impacts our daily process we see it as a chore not a necessity, a strong password is an aggravation, consumers think 2FA is a pain.
“It’s not something we want it’s something we need and usually something someone else enforces.”
Here to stay
That type of thinking is here to stay. It’s not really helped by the manufacturers who put new and exciting USPs at the forefront, with security only hitting the headlines when it’s going wrong.
“As far as the public is concerned security will always be something they have to have because the IT guy has said it has to happen.
“They are often seen as the bad guys but in reality they are the good guys, security will never be the public's number one priority because luckily there is always someone else to worry about it.
“The public just want to use the newest technology and see its advantages not be concerned about the security risks, that's our job.”
To a certain degree this is a double edged sword: security concerns are pushed to the background but user education and good security practices are very important.
Join the ESET UK LinkedIn Group and stay up to date with the blog.
How much do you consider security when buying a new piece of tech?