Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security OS X Apple

MacOS Will Soon Block Unknown USB-C Accessories By Default (techcrunch.com) 175

An anonymous reader quotes a report from TechCrunch: A new security feature in Apple's upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user. Apple dropped details of the new security feature in its release notes, which appears to be aimed at protecting newer Apple laptops that run its bespoke M1 or M2 chips from potentially malicious accessories.

According to Apple's description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system -- essentially an on-screen pop-up asking the user for permission. Apple says this doesn't apply to power adapters, standalone displays, and connections to an approved hub -- and devices can still charge even if you don't approve the accessory. Apple says that accessories that are already connected will automatically work when updating to the new macOS software.

This discussion has been archived. No new comments can be posted.

MacOS Will Soon Block Unknown USB-C Accessories By Default

Comments Filter:
  • Isn't this just another mac-specific incarnation of usbguard which we, Linux users, have had since 2015?

    • Or just disable the fricking ports in Windoze in the device manager and/or use security policies to control the ports. Every business with more than one employee should do this.

      Apple is late to the game.

      • The difference is that Apple is allowing you to use the ports with less risk. With Microsoft you don't have that option. You either disable the ports, or disable new USB device connections with an optional whitelist, but you can't have it prompt you.

        This is far superior to what Windows does. Apple can't be late to the party, they're the only ones at the party.

        • This is far superior to what Windows does. Apple can't be late to the party, they're the only ones at the party.

          As a first party they may be the only ones at the party (except for Linux), but my Windows PC has literally done that for years. MS offers group policy handles for access to USB, and several security packages already offer precisely this feature set, e.g. McAfee enterprise which offered me a nag screen every time I plugged in a USB device. Only after I answered yes would I even get the "new hardware" chime.

    • Not to mention having to google for udev rules and commands when you get a new usb device - to even get the thing working. Security through difficulty!

  • ...need to work on their reading comprehension skills.

    • by jythie ( 914043 )
      Who needs to read when you can signal to other members of your social group which subgroup you are part of?
  • by rgmoore ( 133276 ) <glandauer@charter.net> on Tuesday June 07, 2022 @08:52PM (#62601982) Homepage

    While people will claim all kinds of ulterior motives for this, it's really way past due. USB is a genuine attack vector. It's easy to have something that looks like a harmless USB device but that actually does all kinds of nefarious stuff.

    Part of the basic design of USB is that you can chain devices, so it shouldn't be unusual if several devices are plugged in at the same time. But this can be used for nefarious purposes by hiding multiple logical devices in a single physical device. Something that looks like a thumb drive can also contain a virtual mouse and keyboard that can automatically enter malicious commands. Something that looks like a mouse can also claim to be a music player and exploit known holes in the music playing software. And so on.

    This is not just a theoretical attack. There are proof-of-concept devices that take advantage of this behavior. Asking the user the first time an unrecognized device is plugged in is a simple way of preventing this kind of attack. If they really did just plug in a mouse, they can click on yes and everything is OK. If they thought they plugged in a thumb drive and are asked about a mouse and keyboard, they'll have a chance to stop it.

    • Well-said. I kind of wonder if any of the people with spastic anti-Apple reactions here remember the old days of Windows 95 Autoplay, and the whole bundle of worms that opened up.

      I/O needs to default to untrusted.

      • Quicktime 2.0 had an autostart feature, and it was exploited.

        I worked for a marketing company in the later nineties. Every Mac in the art department was infected and re-infected by the Autostart Worm off and on, until we could finally disable the autostart feature -- which wasn't until Quicktime 2.5:
        https://lowendmac.com/virus/wo... [lowendmac.com]

        Our IT guy at the time was getting really annoyed, as this stupid worm kept on popping up. But I don't recall it being much more than an annoyance and fairly easy to remo
    • by raymorris ( 2726007 ) on Tuesday June 07, 2022 @09:57PM (#62602164) Journal

      You're absolutely right. I'd like to expand on what you said here:

      > This is not just a theoretical attack. There are proof-of-concept devices that take advantage of this behavior.

      More than just proof-of-concept, such devices are "productized", readily available for purchase at reasonable prices.

      The proof-of-concept level is what I've done personally. At a security company where I used to work, my co-workers and I would mess with each other if you didn't follow security practices. Go to lunch without locking your machine? A co-worker will help you learn better. In the common area, there was a bag of USB flash drives with the company logo on them. So ...

      I brought home a flash drive with the logo on it and popped open the case. I installed a new board - essentially an Arduino Pro Micro. I wrote a little Arduino code so it works as both a flash drive and emulates a keyboard, entering whatever commands I wished. The flash drive part held a hidden file containing the keystrokes to enter, so it could be reprogrammed just by replacing the file.

    • If they really did just plug in a mouse, they can click on yes and everything is OK.

      If the new usb mouse is blocked, how is one to "click on yes"? :-)

      • one assumes you have an old usb mouse? I don't use mac but I'd assume tabbing on a pop up also works. That's also only necessary if say we aren't talking a laptop with a touch pad, and that your old mouse is completely dead rather than you upgrading.
        • So if both your mouse and keyboard (or in a laptop keyboard with built in touch pad) die on you and you have never plugged in another keyboard to the device (or simply don't have it anymore), your laptop is bricked then?
      • Just use your bluetooth mouse to move the cursor over and click on yes. Jeesh do I need to do all the thinking around here! :-)

    • Ok, so the nefarious device shows up as what it appears at first, say USB drive, then changes to be a multi-function device at some later time. If the approval is per device, a multi-function device might just be accepted. Even if it is not, the user will get a notification to approve a keyboard at some later time and will not associate it with a USB plugging event. They will assume the actual keyboard they are using has reconnected for some reason.
    • While people will claim all kinds of ulterior motives for this, it's really way past due.

      The only people who do so are those who don't think and don't have phones. iOS and Android already do this. My employer provided Windows laptop already does this too (via 3rd party software).

      This is just a sensible security practice.

    • by AmiMoJo ( 196126 )

      It really depends how the permission request window is designed. It needs to show what the device is and all its functions, probably with explanatory text that warns the user of the risks. I have a feeling most users will just blindly click accept anyway.

      By the way, Windows has supported this for a very long time, I think going back as far as XP, maybe earlier. It's quite as nice, you have to manually approve new devices, but given the tendency of the user to blindly accept everything that might actually be

      • By the way, Windows has supported this for a very long time, I think going back as far as XP, maybe earlier. It's quite as nice, you have to manually approve new devices

        Requiring the user to know ahead which devices to block or not block is NOT the same feature.

        • by AmiMoJo ( 196126 )

          It blocks everything except stuff you whitelist. When you plug something in you can see it's VID/PID/serial number so that you can add an exception if you want to. You can use it in exactly the same way, except less convenient.

    • Comment removed based on user account deletion
    • by jabuzz ( 182671 )

      Pray exactly how do I click yes when I plug in a new unknown mouse? You are assuming that you have a previously available functioning mouse and keyboard.

      I would note that it could look like a real keyboard and be a real keyboard, that also does nefarious stuff behind your back. Does not need to be a thumb drive. I am sure I could open up an existing keyboard add a daughter board that did nefarious things and close it back up. Well maybe not with what Apple tries to pass off as a keyboard, but how anyone can

  • This is the strange part:

    "Approved devices can connect to a locked Mac for up to three days."

    Do they expect the device to change all of a sudden? I mean, a regular thumb drive will install a nefarious virtual keyboard? But then shouldn't the system catch it?

    Maybe this is about power saving? But then, the docking station will be always connected, and you come back one week later, and see your KVM not working? Again this does not make sense.

  • If your mouse stops working, just plug in another one and then click the button to allow it work.... wait... what?

    • by Junta ( 36770 )

      I was thinking this could bring back the good old 'No keyboard detected, press any key to continue'

  • by Tom ( 822 ) on Wednesday June 08, 2022 @01:01AM (#62602500) Homepage Journal

    I wonder how they're going to do that, technically? Does USB-C have different specs than older USB instead of just a different connector?

    I've looked into this and the USB protocol (pre-USB-C) just doesn't give you anything to identify a unique device with. You can identify device types, model, manufacturer, etc. - but even those are simply numbers supplied by the device itself. So the obvious thing to do for a malicious device is to present itself as something popular. Say, the standard Apple keyboard or Magic Mouse.

    I haven't looked for years, so is there something new in the USB standard that I'm not aware of?

    • by gweihir ( 88907 )

      They likely mean the device and vendor ID as USB devices are not required to have an unique serial number or the like. Vendor and device ID be faked though and an USB attack device may well pretend to be a popular keyboard or mouse, for example.

      The pathetic thing here is that not even the release notes by Apple are clear. Apparently technical writers do not need to understand technology these days...

      • Re:how ? (Score:5, Insightful)

        by Tom ( 822 ) on Wednesday June 08, 2022 @08:12AM (#62603180) Homepage Journal

        They likely mean the device and vendor ID as USB devices are not required to have an unique serial number or the like. Vendor and device ID be faked though and an USB attack device may well pretend to be a popular keyboard or mouse, for example.

        That's the thing. The USB spec provides a "serial number" field, but pretty much nobody uses it. And the VID etc. are essentially a "please tell me who your are" thing and I can respond with whatever I feel like today.

        As a way to understand which driver the OS should load, this is sufficient. As a security layer against malicious devices, USB simply doesn't provide anything that you could actually use.

    • I've looked into this and the USB protocol (pre-USB-C) just doesn't give you anything to identify a unique device with.

      Of course you uniquely identify a device: Based on the port it is plugged into. This is one of the reasons USB>serial adapters will always get the same COM port number when plugged into the same USB socket, but plug it into a different socket or plug a different model adapter into the same socket and you get a new COM port.

      Mind you there's no need to memorise the unique device. You can just memorise the enumeration of a device on a port and present the nag screen to the user every time the device is conn

      • by Tom ( 822 )

        Of course you uniquely identify a device: Based on the port it is plugged into.

        Not true. You don't get a unique identifier and the identifier you get isn't guaranteed to be stable over time, or trustworthy.

        a device enumerating itself with multiple functions.

        That's probably what you want to do, though again my work on this was a couple years ago so I don't know what the AV tools do these days if you try that.

        • Not true. You don't get a unique identifier and the identifier you get isn't guaranteed to be stable over time, or trustworthy.

          You do at a given time. The fact it's not stable over time is not relevant for security (only for offering the user a bypass to security). A USB device in one port literally can't pretend to be plugged into another port, and identifying the same VID/PID/device type on the same port twice gives you a big fat "your hardware is not working" error.

          And if you think about how the USB subsystem works it has to be unique at any given time, otherwise how would the software stack know which device to communicate with

    • by AmiMoJo ( 196126 )

      If I were designing a system like this I'd require all devices that don't have a serial number to be confirmed every single time they are plugged in.

      For devices with a serial number it would be difficult for an attacker to guess that number. Given that it appears Apple will allow devices connected to a trusted hub without confirmation, the risk seems lower than an attacker simply plugging their malware into the user's dock.

      • by Tom ( 822 )

        There is a "serial number" field in the USB specs, but both according to lots of online sources I checked and the tests I've made with numerous devices, it is empty most of the time.

        • by AmiMoJo ( 196126 )

          Serial number is optional. If a device doesn't supply one then the host should treat it like a new device every time. If it does then the idea was that the host could keep track of different physical devices, but of course if the creator is a bad actor there is nothing stopping them from re-using serial numbers.

    • > Does USB-C have different specs than older USB instead of just a different connector?

      Just deductively, USB-C (3.x?) probably has some management commands that let you apply power, ask for a bus connection, not get a bus connection, and then later be given a bus connection.

      Older USB has been a mess - many devices need a power cycle to reattach to the bus.

  • They are dystopian, the opposite of freedom. I have to maintain 15 of them and they take more time than the other 100 windows PC's I'm responsible for. I need to update something on the PC just push the msi out. I need to update macs then I have to do them one at a time. I need to do something specific to one pc I can use RDP or VNC. If I try that with the macs the resolution is completely ridiculous. All for the weird perception that macs do graphics better than a PC.
    • Strange, resolution is fine when I VNC into a mac (e.g. from another mac or an ipad). Personally I have no clue, but aren't there apple device management solutions like apple business managar that let you push apps to multiple machines at once (instead of using custom scripts to do this)?
      • P.s.: PCs have improved a lot, but from a color managing standpoint, OSX still performs better out of the box than windows. E.g. The Edge browser still had color management-problems in 2020 - hardly anything you'd want to work professionally with.
    • All for the weird perception that macs do graphics better than a PC.

      Depends on your perception. Games better on Macs, no. Professional video and photography on Macs and PC can be the same; the difference is a prosumer Mac is specced for that role whereas PCs have a range of quality based on equipment and budget.

  • Again, this amounts to one of those ideas that a computer-savvy, security-minded individual thought was a great idea. "Hey, we need to alert users whenever a new USB device is inserted, because hidden devices might be lurking inside the one they THOUGHT they were plugging in!" Except the reality of this is, 99% of users who intentionally plug in a device are going to click ok,approve,yes,whatever makes the annoying dialog boxes go away so they can continue using it.

    They're not going to think, "Hey ... wai

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...