You could make the argument that now that it has one port, it's easier to secure because you only have to secure one side of the computer instead of two.
I've never seen a coffee shop that supplied power adapters, it's always just a bunch of power outlets. I think your safe for now.
The added vulnerability is based on the ease at which people will plug in a strangers power cable compared to plugging in a strangers USB stick.
If you're someone who has a lot of really sensitive data on your laptop, sure. But, then, most of those people are probably not all that interested in the MacBook, and at any rate they should already be pretty cautious about physical access to the sensitive machine.
This is also talking about how combining them also allows for the potential of charger based attacks, a charger is something that absolutely has to be plugged in at some point.
The only USB issue which REALLY isn't solvable is the fact that USB devices can simulate a USB hub and then attach fictional human interface devices (i.e. keyboards and mice) which they can then use to take over the computer and or otherwise cause problems.
Agree that the article is largely a fuss over nothing, though.
Would be nice to see a hardware switch to deactivate the pins that aren't needed for power.
I'd suggest that if people want safe USB that they just buy a USB "condom" (i.e. an adapter that goes between the power and port, and disconnects the data wires).
Although does USB-C use any of the data pins to determine if it is safe to transmit power? I just ask because Apple's USB implementation sends different amount of power based on how the device responds across several non-power related pins.
Power Delivery 2.0 signals via Vbus (the 5V line) and additionally via CC when using the Type C connector. PD2 is specified for Type A, Type B and Type C connectors.
Edit: This will presumably disable any usage of the non-power lines.
This certainly requires some host cooperation, but I imagine that the fear is that these drivers start to be distributed in the OS by default.
One of the BadUSB vectors is a USB keyboard, which is a fairly well expected driver to be included with the OS.
It is fairly common for me to connect a USB keyboard, but it is pretty rare for me to connect an unknown keyboard.
We went through this with "autorun" on CDs and DVDs. For years, Windows would run anything that looked executable if you put it in the obvious place. That didn't end well. Those defaults were finally changed.
What's needed is to turn off automatic hot plugging for USB devices. The era when you can plug in a USB device and have it go live without user interaction is over. We're going to need clear OS dialogs - "The USB device you just plugged in claims to be a keyboard - did you just plug in a keyboard?" You should't be able to boot from a USB device without doing something to enter a maintenance mode.
There's nothing special about USB Type C here. It's just that the asymmetry of USB is being dealt with.
Asymmetrical USB has created an amusing hierarchy. Desktop computers were masters. Phones were slaves. Then came tablets. Are they masters or slaves?
The problem with that is that you inevitably run into this dialog with nothing else attached to the machine. How are you going to confirm the dialog?
Better to focus on isolating the keyboard driver from the rest of the OS, so the only thing it should be able to do is read in input from the keyboard and report it back to the OS.
Of course there is the chicken-and-egg issue of allowing the first keyboard you plug into a machine which does not have any built-in input device.
We need a way to give us assurance that port is in just power mode.
I've seen several articles on HN in the past year that detail serious compromises that are possible via just plugging in a Thunderbolt cable.
^^ Oh yeah, that would do it. Damn Apple for disabling the tape-over fix!
